On 03/27/2015 03:14 PM, Rob Crittenden wrote:
David Kupka wrote:
https://fedorahosted.org/freeipa/ticket/4190
To test this on F22 my patch 42 is needed.
NACK.
You need to bump the VERSION in ipa.conf for this file to be replaced on
upgrades.
Thanks for the catch, Rob. I've forget about this.
This also provides an opportunity to drop the cgi-bin configuration.
This is a legacy from IPA v1.0 where people had TONS, loads and heaps of
problems getting Kerberos working so we provided a CGI to spit out the
environment to help with troubleshooting.
If we can safely remove it, we should do it. I did a quick test and it
looks like we everything works without it.
rob
Updated patch attached.
--
David Kupka
From 82b197b53124d8ba94bd8daf2393e50aada58f2d Mon Sep 17 00:00:00 2001
From: David Kupka <dku...@redhat.com>
Date: Wed, 25 Mar 2015 05:22:03 -0400
Subject: [PATCH] Use mod_auth_gssapi instead of mod_auth_kerb.
https://fedorahosted.org/freeipa/ticket/4190
---
freeipa.spec.in | 4 +++-
init/systemd/ipa.conf.tmpfiles | 1 +
install/conf/ipa.conf | 33 ++++++---------------------------
ipalib/session.py | 20 ++++++++++----------
ipaserver/rpcserver.py | 2 +-
5 files changed, 21 insertions(+), 39 deletions(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 546f3473c5ac8885c6df128b2e3793d76795e85b..8d58f2568e1de418c25cb1bd34fc7d4736a15e54 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -118,7 +118,7 @@ Requires: cyrus-sasl-gssapi%{?_isa}
Requires: ntp
Requires: httpd >= 2.4.6-6
Requires: mod_wsgi
-Requires: mod_auth_kerb >= 5.4-16
+Requires: mod_auth_gssapi >= 1.1.0-2
Requires: mod_nss >= 1.0.8-26
Requires: python-ldap >= 2.4.15
Requires: python-krbV
@@ -463,6 +463,7 @@ install -m 0644 init/systemd/ipa.conf.tmpfiles %{buildroot}%{_tmpfilesdir}/%{nam
mkdir -p %{buildroot}%{_localstatedir}/run/
install -d -m 0700 %{buildroot}%{_localstatedir}/run/ipa_memcached/
install -d -m 0700 %{buildroot}%{_localstatedir}/run/ipa/
+install -d -m 0700 %{buildroot}%{_localstatedir}/run/httpd/clientcaches
mkdir -p %{buildroot}%{_libdir}/krb5/plugins/libkrb5
touch %{buildroot}%{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so
@@ -680,6 +681,7 @@ fi
%config(noreplace) %{_sysconfdir}/sysconfig/ipa-ods-exporter
%dir %attr(0700,apache,apache) %{_localstatedir}/run/ipa_memcached/
%dir %attr(0700,root,root) %{_localstatedir}/run/ipa/
+%dir %attr(0700,apache,apache) %{_localstatedir}/run/httpd/clientcaches/
# NOTE: systemd specific section
%{_tmpfilesdir}/%{name}.conf
%attr(644,root,root) %{_unitdir}/ipa.service
diff --git a/init/systemd/ipa.conf.tmpfiles b/init/systemd/ipa.conf.tmpfiles
index 1e7a896ed8df00c97f2d092504e2a65960bb341d..b4503cc673f3407421cd194091f5373ba204a483 100644
--- a/init/systemd/ipa.conf.tmpfiles
+++ b/init/systemd/ipa.conf.tmpfiles
@@ -1,2 +1,3 @@
d /var/run/ipa_memcached 0700 apache apache
d /var/run/ipa 0700 root root
+d /var/run/httpd/clientcaches 0700 apache apache
diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf
index 7eede73efc559967925d2bbfeee54e1e2efd3e21..92637c04d4f961a0b7f016fe125341c63f400285 100644
--- a/install/conf/ipa.conf
+++ b/install/conf/ipa.conf
@@ -1,9 +1,8 @@
#
-# VERSION 16 - DO NOT REMOVE THIS LINE
+# VERSION 17 - DO NOT REMOVE THIS LINE
#
# This file may be overwritten on upgrades.
#
-# LoadModule auth_kerb_module modules/mod_auth_kerb.so
ProxyRequests Off
@@ -61,19 +60,14 @@ WSGIScriptReloading Off
SetHandler None
</Location>
-KrbConstrainedDelegationLock ipa
-
# Protect /ipa and everything below it in webspace with Apache Kerberos auth
<Location "/ipa">
- AuthType Kerberos
+ AuthType GSSAPI
AuthName "Kerberos Login"
- KrbMethodNegotiate on
- KrbMethodK5Passwd off
- KrbServiceName HTTP
- KrbAuthRealms $REALM
- Krb5KeyTab /etc/httpd/conf/ipa.keytab
- KrbSaveCredentials on
- KrbConstrainedDelegation on
+ GssapiCredStore keytab:/etc/httpd/conf/ipa.keytab
+ GssapiCredStore client_keytab:/etc/httpd/conf/ipa.keytab
+ GssapiDelegCcacheDir /var/run/httpd/clientcaches
+ GssapiUseS4U2Proxy on
Require valid-user
ErrorDocument 401 /ipa/errors/unauthorized.html
</Location>
@@ -174,21 +168,6 @@ Alias /ipa/wsgi "/usr/share/ipa/wsgi"
AddHandler wsgi-script .py
</Directory>
-# Protect our CGIs
-<Directory /var/www/cgi-bin>
- AuthType Kerberos
- AuthName "Kerberos Login"
- KrbMethodNegotiate on
- KrbMethodK5Passwd off
- KrbServiceName HTTP
- KrbAuthRealms $REALM
- Krb5KeyTab /etc/httpd/conf/ipa.keytab
- KrbSaveCredentials on
- Require valid-user
- ErrorDocument 401 /ipa/errors/unauthorized.html
-</Directory>
-
-
# migration related pages
Alias /ipa/migration "/usr/share/ipa/migration"
<Directory "/usr/share/ipa/migration">
diff --git a/ipalib/session.py b/ipalib/session.py
index ae40fdfe189b3bfd5f0437c04efaab73ac31f88a..2f732b333375c837b931c6b16ccfc535e11d7e4c 100644
--- a/ipalib/session.py
+++ b/ipalib/session.py
@@ -484,7 +484,7 @@ improve authentication performance. First some definitions.
There are 4 major players:
1. client
- 2. mod_auth_kerb (in Apache process)
+ 2. mod_auth_gssapi (in Apache process)
3. wsgi handler (in IPA wsgi python process)
4. ds (directory server)
@@ -506,12 +506,12 @@ This describes how things work in our current system for the web UI.
2. Client sends post to /ipa/json.
- 3. mod_auth_kerb is configured to protect /ipa/json, replies 401
+ 3. mod_auth_gssapi is configured to protect /ipa/json, replies 401
authenticate negotiate.
4. Client resends with credentials
- 5. mod_auth_kerb validates credentials
+ 5. mod_auth_gssapi validates credentials
a. if invalid replies 403 access denied (stops here)
@@ -550,7 +550,7 @@ A few notes about the session implementation.
Changes to Apache's resource protection
---------------------------------------
- * /ipa/json is no longer protected by mod_auth_kerb. This is
+ * /ipa/json is no longer protected by mod_auth_gssapi. This is
necessary to avoid the negotiate expense in steps 3,4,5
above. Instead the /ipa/json resource will be protected in our wsgi
handler via the session cookie.
@@ -583,15 +583,15 @@ The new sequence is:
5. client sends request to /ipa/login to obtain session credentials
- 6. mod_auth_kerb replies 401 negotiate on /ipa/login
+ 6. mod_auth_gssapi replies 401 negotiate on /ipa/login
7. client sends credentials to /ipa/login
- 8. mod_auth_kerb validates credentials
+ 8. mod_auth_gssapi validates credentials
a. if valid
- - mod_auth_kerb permits access to /ipa/login. wsgi handler is
+ - mod_auth_gssapi permits access to /ipa/login. wsgi handler is
invoked and does the following:
* establishes session for client
@@ -600,7 +600,7 @@ The new sequence is:
a. if invalid
- - mod_auth_kerb sends 403 access denied (processing stops)
+ - mod_auth_gssapi sends 403 access denied (processing stops)
9. client now posts the same data again to /ipa/json including
session cookie. Processing repeats starting at step 2 and since
@@ -617,12 +617,12 @@ and xmlrpc API's are the same, they differ only on how their procedure
calls are marshalled and unmarshalled.
Under the new scheme /ipa/xml will continue to be Kerberos protected
-at all times. Apache's mod_auth_kerb will continue to require the
+at all times. Apache's mod_auth_gssapi will continue to require the
client provides valid Kerberos credentials.
When the WSGI handler routes to /ipa/xml the Kerberos credentials will
be extracted from the KRB5CCNAME environment variable as provided by
-mod_auth_kerb. Everything else remains the same.
+mod_auth_gssapi. Everything else remains the same.
'''
diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
index d6bc955b9d9910a24eec5df1def579310eb54786..4173ed918d2ce992aa79d18b2ac3338b35388918 100644
--- a/ipaserver/rpcserver.py
+++ b/ipaserver/rpcserver.py
@@ -858,7 +858,7 @@ class login_kerberos(Backend, KerberosSession, HTTP_Status):
def __call__(self, environ, start_response):
self.debug('WSGI login_kerberos.__call__:')
- # Get the ccache created by mod_auth_kerb
+ # Get the ccache created by mod_auth_gssapi
user_ccache_name=environ.get('KRB5CCNAME')
if user_ccache_name is None:
return self.internal_error(environ, start_response,
--
2.3.4
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
