So I understand the mitigation of CSRF attacks. I would like ipa to be able to handle a specific set of referers. My use case may be less common since my freeipa instance is handling our server infrastructure not desktops.
I have everything working now. Here is an example nginx server config in case anyone else needs it: server { server_name ipa.corp.com; listen 443 ssl; location / { proxy_cookie_domain ldap.corp.com ipa.corp.com; proxy_pass https://ldap.corp.com/; proxy_set_header Referer https://ldap.corp.com/ipa/ui; } } ipa.corp.com would be the external server and ldap.corp.com would be the internal server. Thanks for your help. Steve On Mon, Feb 3, 2014 at 11:10 AM, Alexander Bokovoy <aboko...@redhat.com>wrote: > On Mon, 03 Feb 2014, Steve Severance wrote: > >> Yes it works if I specify the -s as ldap.mycorp.com. So we have progress! >> It now appears to authenticate fine when it posts the session but I have a >> new error. >> >> I get an Ipa Error 911 "Missing HTTP referer. <br/> You have to configure >> your browser to send HTTP referer header." I assume this is because the >> external name doesn't match the internal name. Is there a way to modify >> this somewhere? >> > You can read https://bugzilla.redhat.com/show_bug.cgi?id=747710 for > details and https://rhn.redhat.com/errata/RHSA-2011-1533.html is the > security errata addressing it. > > We are deliberately closing cross-site forgery by enforcing > HTTP referrer checks. > > Your nginx proxy would be a middle man which we are attempting to > protect against. > > Recent discussions on how to allow your use case but still keep the > security tight can be seen here: > http://comments.gmane.org/gmane.linux.redhat.freeipa.user/8920 (latter > part of the thread). Discussion stalled since then. > > > >> Thanks. >> >> Steve >> >> >> On Mon, Feb 3, 2014 at 4:40 AM, Sumit Bose <sb...@redhat.com> wrote: >> >> On Fri, Jan 31, 2014 at 01:50:58PM -0800, Steve Severance wrote: >>> > Hi Sumit, That does indeed work. What does that tell us? >>> >>> I'm sorry, but it only tells that in general GSSAPI/Kerberos is working. >>> I think it does not help much with your original issue. About >>> ipa-getkeytab, does it work if you specify the server with the >>> -s/--server option? >>> >>> >>> bye, >>> Sumit >>> >>> > >>> > Steve >>> > >>> > >>> > On Wed, Jan 29, 2014 at 12:11 AM, Sumit Bose <sb...@redhat.com> wrote: >>> > >>> > > On Tue, Jan 28, 2014 at 02:29:07PM -0800, Steve Severance wrote: >>> > > > Hi Everyone, >>> > > > >>> > > > I have deployed freeipa inside our production network. I want to be >>> able >>> > > to >>> > > > access the web ui so I am attempting to add it to our nginx edge >>> > > machine. I >>> > > > can pass the requests upstream just fine but I am unable to login >>> using a >>> > > > username/password. I have enabled password authentication in the >>> kerberos >>> > > > section of the freeipa httpd config file. In the logs it looks like >>> the >>> > > > authentication succeeds and a ticket is issued. I assume that the >>> cookie >>> > > > that is returned (ipa_session) has the authentication information >>> in >>> it. >>> > > > The subsequent call to get json data fails and I am prompted to >>> login >>> > > again. >>> > > > >>> > > > I found this thread ( >>> > > > >>> https://www.redhat.com/archives/freeipa-users/2013-August/msg00080.html) >>> > > > which has instructions on adding ipa.mydomain.com to the keytab. >>> When I >>> > > > call ipa-getkeytab it hangs for a bit before returning: >>> > > ldap_sasl_bind(SIMPLE): >>> > > > Can't contact LDAP server (-1) >>> > > > >>> > > > Digging into this if I run: ldapsearch -d 1 -v -H ldaps:// >>> > > ldap.mydomain.com >>> > > > >>> > > > I get: >>> > > > ldap_sasl_interactive_bind_s: Unknown authentication method (-6) >>> > > > additional info: SASL(-4): no mechanism available: >>> > > >>> > > Does it work if you add the mechanism explicitly, e.g. 'ldapsearch -Y >>> > > GSSAPI ....' ? >>> > > >>> > > bye, >>> > > Sumit >>> > > >>> > > > >>> > > > So we seem to have a SASL problem. If I run ldapsearch with -x >>> simple >>> > > > authentication works just fine. >>> > > > >>> > > > Do I need to do something special to enable SASL so I can get the >>> keytab? >>> > > > The ipa-getkeytab command does not seem to have an option to use >>> simple >>> > > > authentication. >>> > > > >>> > > > Thanks. >>> > > > >>> > > > Steve >>> > > >>> > > > _______________________________________________ >>> > > > Freeipa-users mailing list >>> > > > Freeipa-users@redhat.com >>> > > > https://www.redhat.com/mailman/listinfo/freeipa-users >>> > > >>> >>> >> >> >> -- >> Steve Severance >> Director of Engineering >> Altos Research >> >> e. st...@altosresearch.com >> m. (240) 472 - 9645 >> > > _______________________________________________ >> Freeipa-users mailing list >> Freeipa-users@redhat.com >> https://www.redhat.com/mailman/listinfo/freeipa-users >> > > > -- > / Alexander Bokovoy > -- Steve Severance Director of Engineering Altos Research e. st...@altosresearch.com m. (240) 472 - 9645
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users