On Wed, Jun 08, 2016 at 10:01:44AM +0200, Jan Pazdziora wrote:
> On Tue, Jun 07, 2016 at 11:01:12AM -0400, Anthony Clark wrote:
> > Apparently removing the GSSAPI AuthType breaks foreman-proxy, so I had to
> > do this:
> >
> >
> >
> > AuthType GSSAPI
>
> This feels strange. The %{HTTP_HOS
On Tue, Jun 07, 2016 at 11:01:12AM -0400, Anthony Clark wrote:
> Apparently removing the GSSAPI AuthType breaks foreman-proxy, so I had to
> do this:
>
>
>
> AuthType GSSAPI
This feels strange. The %{HTTP_HOST} is the value of the Host: header
of the HTTP request. And on my setup, with ht
On Tue, Jun 07, 2016 at 09:50:07AM -0400, Anthony Clark wrote:
> One thing I noticed was that once I had set up the proxy as per the
> document from Jan, I was getting access denied to /ipa until I disabled the
> Kerberos authentication stuff:
>
> # Protect /ipa and everything below it in webspace
Apparently removing the GSSAPI AuthType breaks foreman-proxy, so I had to
do this:
AuthType GSSAPI
AuthName "Kerberos Login"
GssapiCredStore keytab:/etc/httpd/conf/ipa.keytab
GssapiCredStore client_keytab:/etc/httpd/conf/ipa.keytab
GssapiDelegCcacheDir /var/run/httpd/ipa/cl
One thing I noticed was that once I had set up the proxy as per the
document from Jan, I was getting access denied to /ipa until I disabled the
Kerberos authentication stuff:
# Protect /ipa and everything below it in webspace with Apache Kerberos auth
# AuthType GSSAPI
# AuthName "Kerberos Logi
Thanks a lot Jan. It works perfectly, and it is crystal-clear.
Best,
Karl
On Mon, Jun 6, 2016 at 11:13 AM, Jan Pazdziora wrote:
> On Fri, Jun 03, 2016 at 10:42:59PM +0200, Jan Pazdziora wrote:
>>
>> Hope this helps. I will likely do another writeup about this setup.
>
> https://www.adelton.com/fr
On Fri, Jun 03, 2016 at 10:42:59PM +0200, Jan Pazdziora wrote:
>
> Hope this helps. I will likely do another writeup about this setup.
https://www.adelton.com/freeipa/freeipa-behind-proxy-with-different-name
--
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, R
On Thu, Jun 02, 2016 at 03:00:36PM +0200, Karl Forner wrote:
>
> My problem is:
> I have an ipa.example.com server on the internal network, with
> self-signed certificates.
> I'd like to be able to connect to the UI from the internet, using
> https with other certificates (e.g. let's encrypt certi
Hi,
My problem is:
I have an ipa.example.com server on the internal network, with
self-signed certificates.
I'd like to be able to connect to the UI from the internet, using
https with other certificates (e.g. let's encrypt certificates).
So I tried to setup an SNI apache reverse proxy, but I cou
