mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-27 09:21:59 -06:00
14b38b7704
This HTTP call takes the following parameters: * user * password * first_code * second_code * token (optional) Using this information, the server will perform token synchronization. If the token is not specified, all tokens will be searched for synchronization. Otherwise, only the token specified will be searched. https://fedorahosted.org/freeipa/ticket/4218 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
201 lines
4.8 KiB
Plaintext
201 lines
4.8 KiB
Plaintext
#
|
|
# VERSION 16 - DO NOT REMOVE THIS LINE
|
|
#
|
|
# This file may be overwritten on upgrades.
|
|
#
|
|
# LoadModule auth_kerb_module modules/mod_auth_kerb.so
|
|
|
|
ProxyRequests Off
|
|
|
|
|
|
#We use xhtml, a file format that the browser validates
|
|
DirectoryIndex index.html
|
|
|
|
|
|
# Substantially increase the request field size to support MS-PAC
|
|
# requests, ticket #2767. This should easily support a 64KiB PAC.
|
|
LimitRequestFieldSize 100000
|
|
|
|
# ipa-rewrite.conf is loaded separately
|
|
|
|
# This is required so the auto-configuration works with Firefox 2+
|
|
AddType application/java-archive jar
|
|
AddType application/x-xpinstall xpi
|
|
|
|
# Proper header for .tff fonts
|
|
AddType application/x-font-ttf ttf
|
|
|
|
# Enable compression
|
|
AddOutputFilterByType DEFLATE text/html text/plain text/xml \
|
|
application/javascript application/json text/css \
|
|
application/x-font-ttf
|
|
|
|
# Disable etag http header. Doesn't work well with mod_deflate
|
|
# https://issues.apache.org/bugzilla/show_bug.cgi?id=45023
|
|
# Usage of last-modified header and modified-since validator is sufficient.
|
|
Header unset ETag
|
|
FileETag None
|
|
|
|
# FIXME: WSGISocketPrefix is a server-scope directive. The mod_wsgi package
|
|
# should really be fixed by adding this its /etc/httpd/conf.d/wsgi.conf:
|
|
WSGISocketPrefix /run/httpd/wsgi
|
|
|
|
|
|
# Configure mod_wsgi handler for /ipa
|
|
WSGIDaemonProcess ipa processes=2 threads=1 maximum-requests=500
|
|
WSGIProcessGroup ipa
|
|
WSGIApplicationGroup ipa
|
|
WSGIImportScript /usr/share/ipa/wsgi.py process-group=ipa application-group=ipa
|
|
WSGIScriptAlias /ipa /usr/share/ipa/wsgi.py
|
|
WSGIScriptReloading Off
|
|
|
|
|
|
# Turn off mod_msgi handler for errors, config, crl:
|
|
<Location "/ipa/errors">
|
|
SetHandler None
|
|
</Location>
|
|
<Location "/ipa/config">
|
|
SetHandler None
|
|
</Location>
|
|
<Location "/ipa/crl">
|
|
SetHandler None
|
|
</Location>
|
|
|
|
KrbConstrainedDelegationLock ipa
|
|
|
|
# Protect /ipa and everything below it in webspace with Apache Kerberos auth
|
|
<Location "/ipa">
|
|
AuthType Kerberos
|
|
AuthName "Kerberos Login"
|
|
KrbMethodNegotiate on
|
|
KrbMethodK5Passwd off
|
|
KrbServiceName HTTP
|
|
KrbAuthRealms $REALM
|
|
Krb5KeyTab /etc/httpd/conf/ipa.keytab
|
|
KrbSaveCredentials on
|
|
KrbConstrainedDelegation on
|
|
Require valid-user
|
|
ErrorDocument 401 /ipa/errors/unauthorized.html
|
|
</Location>
|
|
|
|
# Turn off Apache authentication for sessions
|
|
<Location "/ipa/session/json">
|
|
Satisfy Any
|
|
Order Deny,Allow
|
|
Allow from all
|
|
</Location>
|
|
|
|
<Location "/ipa/session/xml">
|
|
Satisfy Any
|
|
Order Deny,Allow
|
|
Allow from all
|
|
</Location>
|
|
|
|
<Location "/ipa/session/login_password">
|
|
Satisfy Any
|
|
Order Deny,Allow
|
|
Allow from all
|
|
</Location>
|
|
|
|
<Location "/ipa/session/change_password">
|
|
Satisfy Any
|
|
Order Deny,Allow
|
|
Allow from all
|
|
</Location>
|
|
|
|
<Location "/ipa/session/sync_token">
|
|
Satisfy Any
|
|
Order Deny,Allow
|
|
Allow from all
|
|
</Location>
|
|
|
|
# This is where we redirect on failed auth
|
|
Alias /ipa/errors "/usr/share/ipa/html"
|
|
|
|
# For the MIT Windows config files
|
|
Alias /ipa/config "/usr/share/ipa/html"
|
|
|
|
# Do no authentication on the directory that contains error messages
|
|
<Directory "/usr/share/ipa/html">
|
|
SetHandler None
|
|
AllowOverride None
|
|
Satisfy Any
|
|
Allow from all
|
|
ExpiresActive On
|
|
ExpiresDefault "access plus 0 seconds"
|
|
</Directory>
|
|
|
|
|
|
# For CRL publishing
|
|
Alias /ipa/crl "$CRL_PUBLISH_PATH"
|
|
<Directory "$CRL_PUBLISH_PATH">
|
|
SetHandler None
|
|
AllowOverride None
|
|
Options Indexes FollowSymLinks
|
|
Satisfy Any
|
|
Allow from all
|
|
</Directory>
|
|
|
|
|
|
# List explicitly only the fonts we want to serve
|
|
Alias /ipa/ui/fonts/open-sans "/usr/share/fonts/open-sans"
|
|
Alias /ipa/ui/fonts/fontawesome "/usr/share/fonts/fontawesome"
|
|
<Directory "/usr/share/fonts">
|
|
SetHandler None
|
|
AllowOverride None
|
|
Satisfy Any
|
|
Allow from all
|
|
ExpiresActive On
|
|
ExpiresDefault "access plus 1 year"
|
|
</Directory>
|
|
|
|
|
|
# webUI is now completely static, and served out of that directory
|
|
Alias /ipa/ui "/usr/share/ipa/ui"
|
|
<Directory "/usr/share/ipa/ui">
|
|
SetHandler None
|
|
AllowOverride None
|
|
Satisfy Any
|
|
Allow from all
|
|
ExpiresActive On
|
|
ExpiresDefault "access plus 1 year"
|
|
<FilesMatch "(index.html|loader.js|login.html|reset_password.html)">
|
|
ExpiresDefault "access plus 0 seconds"
|
|
</FilesMatch>
|
|
</Directory>
|
|
|
|
# Simple wsgi scripts required by ui
|
|
Alias /ipa/wsgi "/usr/share/ipa/wsgi"
|
|
<Directory "/usr/share/ipa/wsgi">
|
|
AllowOverride None
|
|
Satisfy Any
|
|
Allow from all
|
|
Options ExecCGI
|
|
AddHandler wsgi-script .py
|
|
</Directory>
|
|
|
|
# Protect our CGIs
|
|
<Directory /var/www/cgi-bin>
|
|
AuthType Kerberos
|
|
AuthName "Kerberos Login"
|
|
KrbMethodNegotiate on
|
|
KrbMethodK5Passwd off
|
|
KrbServiceName HTTP
|
|
KrbAuthRealms $REALM
|
|
Krb5KeyTab /etc/httpd/conf/ipa.keytab
|
|
KrbSaveCredentials on
|
|
Require valid-user
|
|
ErrorDocument 401 /ipa/errors/unauthorized.html
|
|
</Directory>
|
|
|
|
|
|
# migration related pages
|
|
Alias /ipa/migration "/usr/share/ipa/migration"
|
|
<Directory "/usr/share/ipa/migration">
|
|
AllowOverride None
|
|
Satisfy Any
|
|
Allow from all
|
|
Options ExecCGI
|
|
AddHandler wsgi-script .py
|
|
</Directory>
|