IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity
Files
d567aa4441f99673dddf1e2deb753eb66cb8ddfb
freeipa/ipa-server/xmlrpc-server/test/README
rcritten@redhat.com f8eda3da3e Fix a couple of XML-RPC functions that were missing the opts argument 
Include a kerberized XML-RPC client that will list the XML-RPC API
2007-09-26 16:31:43 -04:00

61 lines
2.0 KiB
Plaintext
Raw Blame History

Diagnosing Kerberos credentials cache problems is difficult.
The first thing to try is to set LogLevel to debug in
/etc/httpd/conf/httpd.conf and restart Apache.
Look in /var/log/httpd/error_log for any problems.
Also check out /var/log/krb5kdc.log
To simplify things and test just Kerberos ticket forwarding:
The first test is with a CGI:
- copy test.py /var/www/cgi-bin
- chmod +x /var/www/cgi-bin/test.py
- kinit admin (or some other existing user)
- curl -u : --negotiate http://yourhost.fqdn/cgi-bin/test.py
For yourhost.fqdn use the fully-qualified hostname of your webserver.
The output should look something like:
KRB5CCNAME is FILE:/tmp/krb5cc_apache_TiMAbq
Sucessfully bound to LDAP using SASL mechanism GSSAPI
This CGI uses the forwarded credentials to make an authenticated LDAP
connection. If this fails it means that Apache is not properly storing
the kerberos credentials.
If that works, the second test more closely models the way that IPA works.
- mkdir /usr/share/ipa/ipatest
- cp test_mod_python.py /usr/share/ipa/ipatest
- uncomment the entries for ipatest in /etc/httpd/conf.d/ipa.conf. There are
entries for ProxyPass and ProxyReversePass, an Alias and a Directory
- restart Apache
- curl -u : --negotiate http://yourhost.fqdn/ipatest/
For yourhost.fqdn use the fully-qualified hostname of your webserver.
The output should look something like:
KRB5CCNAME: FILE:/tmp/krb5cc_apache_c0MU9o<br>
GATEWAY_INTERFACE: CGI/1.1<br>
...
SCRIPT_FILENAME: /usr/share/ipa/ipaserver/<br>
REMOTE_PORT: 45691<br>
REMOTE_USER: rcrit@GREYOAK.COM<br>
AUTH_TYPE: Negotiate<br>
KRB5CCNAME is FILE:/tmp/krb5cc_apache_c0MU9o<br>
Sucessfully bound to LDAP using SASL mechanism GSSAPI<br>
It should print all of the environment variables available to mod_python
and do a GSSAPI LDAP connection.
A final test, which lists the capabilities of the XML-RPC server is
test_methods.py. This is more a sanity check that new functions added
to the server work as expected.
Note that opts is added by the server itself and is not passed in by the user.
Reference in New Issue View Git Blame Copy Permalink