diff options
author | Rob Crittenden <rcritten@redhat.com> | 2008-03-24 15:54:55 -0400 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2008-03-24 15:54:55 -0400 |
commit | 4c288e653aec9c5d58ef782f07a13b9efde6e148 (patch) | |
tree | f12861943fd91d944f99f8b63c1d905027228a35 | |
parent | 0b7117596d1ba201d8c8713bbc43fdbb04726d2d (diff) | |
download | freeipa-4c288e653aec9c5d58ef782f07a13b9efde6e148.tar.gz freeipa-4c288e653aec9c5d58ef782f07a13b9efde6e148.tar.xz freeipa-4c288e653aec9c5d58ef782f07a13b9efde6e148.zip |
Re-root the IPA web UI to /ipa and the XML-RPC interface to /ipaxml.
438021
-rw-r--r-- | ipa-python/rpcclient.py | 2 | ||||
-rw-r--r-- | ipa-server/ipa-gui/ipa_webgui.cfg | 4 | ||||
-rw-r--r-- | ipa-server/ipa-gui/ipagui/proxyprovider.py | 15 | ||||
-rw-r--r-- | ipa-server/ipa-gui/ipagui/templates/master.kid | 12 | ||||
-rw-r--r-- | ipa-server/xmlrpc-server/ipa-rewrite.conf | 5 | ||||
-rw-r--r-- | ipa-server/xmlrpc-server/ipa.conf | 27 |
6 files changed, 34 insertions, 31 deletions
diff --git a/ipa-python/rpcclient.py b/ipa-python/rpcclient.py index c3835568f..7fa075b1d 100644 --- a/ipa-python/rpcclient.py +++ b/ipa-python/rpcclient.py @@ -37,7 +37,7 @@ class RPCClient: def server_url(self, server): """Build the XML-RPC server URL from our configuration""" - return "https://" + server + "/ipa" + return "https://" + server + "/ipaxml" def setup_server(self): """Create our XML-RPC server connection using kerberos diff --git a/ipa-server/ipa-gui/ipa_webgui.cfg b/ipa-server/ipa-gui/ipa_webgui.cfg index e785f34ee..62d251cf3 100644 --- a/ipa-server/ipa-gui/ipa_webgui.cfg +++ b/ipa-server/ipa-gui/ipa_webgui.cfg @@ -29,7 +29,7 @@ server.thread_pool = 10 # if this is part of a larger site, you can set the path # to the TurboGears instance here -# server.webpath="" +server.webpath="/ipa" # Set to True if you are deploying your App behind a proxy # e.g. Apache using mod_proxy @@ -58,7 +58,7 @@ session_filter.storage_path='/var/cache/ipa/sessions' # Listen only on the local interface so all requests go through # Apache/mod_auth_kerb/mod_proxy. -server.server_port = 8080 +server.socket_port = 8080 server.socket_host="127.0.0.1" # LOGGING diff --git a/ipa-server/ipa-gui/ipagui/proxyprovider.py b/ipa-server/ipa-gui/ipagui/proxyprovider.py index 5a145de14..5299091d2 100644 --- a/ipa-server/ipa-gui/ipagui/proxyprovider.py +++ b/ipa-server/ipa-gui/ipagui/proxyprovider.py @@ -25,6 +25,7 @@ import ipa.config import ipa.group import ipa.user import ldap +import krbV log = logging.getLogger("turbogears.identity") @@ -132,7 +133,7 @@ class ProxyIdentityProvider(SqlObjectIdentityProvider): user = IPA_User(user_name) log.debug( "validate_identity %s" % user_name) return ProxyIdentity(visit_key, user) - except: + except Exception, e: # Something went wrong in fetching the user. Set to # anonymous which will deny access. return ProxyIdentity( None ) @@ -143,12 +144,18 @@ class ProxyIdentityProvider(SqlObjectIdentityProvider): def load_identity(self, visit_key): try: - user_name= cherrypy.request.headers['X-FORWARDED-USER'] os.environ["KRB5CCNAME"] = cherrypy.request.headers['X-FORWARDED-KEYTAB'] -# user_name = "test@FREEIPA.ORG" -# os.environ["KRB5CCNAME"] = "FILE:/tmp/krb5cc_500" + ccache = krbV.CCache(cherrypy.request.headers['X-FORWARDED-KEYTAB']) + user_name = ccache.principal().name +# user_name = "test@FREEIPA.ORG" +# os.environ["KRB5CCNAME"] = "FILE:/tmp/krb5cc_500" except KeyError: return None + except AttributeError: + return None + except krbV.Krb5Error: + return None + set_login_attempted( True ) return self.validate_identity( user_name, None, visit_key ) diff --git a/ipa-server/ipa-gui/ipagui/templates/master.kid b/ipa-server/ipa-gui/ipagui/templates/master.kid index d8b341428..ac850178a 100644 --- a/ipa-server/ipa-gui/ipagui/templates/master.kid +++ b/ipa-server/ipa-gui/ipagui/templates/master.kid @@ -24,13 +24,13 @@ <title py:replace="''">Your title goes here</title> <meta py:replace="item[:]"/> <style type="text/css" media="all"> - @import "${tg.url('/static/css/style_platform.css')}"; - @import "${tg.url('/static/css/style_platform-objects.css')}"; - @import "${tg.url('/static/css/style_freeipa.css')}"; + @import "/static/css/style_platform.css"; + @import "/static/css/style_platform-objects.css"; + @import "/static/css/style_freeipa.css"; </style> - <script type="text/javascript" charset="utf-8" src="${tg.url('/static/javascript/prototype.js')}"></script> - <script type="text/javascript" charset="utf-8" src="${tg.url('/static/javascript/scriptaculous.js?load=effects')}"></script> - <script type="text/javascript" charset="utf-8" src="${tg.url('/static/javascript/ipautil.js')}"></script> + <script type="text/javascript" charset="utf-8" src="/static/javascript/prototype.js"></script> + <script type="text/javascript" charset="utf-8" src="/static/javascript/scriptaculous.js?load=effects"></script> + <script type="text/javascript" charset="utf-8" src="/static/javascript/ipautil.js"></script> </head> <body py:match="item.tag=='{http://www.w3.org/1999/xhtml}body'" py:attrs="item.items()"> diff --git a/ipa-server/xmlrpc-server/ipa-rewrite.conf b/ipa-server/xmlrpc-server/ipa-rewrite.conf index 977be7398..af3a3afe2 100644 --- a/ipa-server/xmlrpc-server/ipa-rewrite.conf +++ b/ipa-server/xmlrpc-server/ipa-rewrite.conf @@ -1,5 +1,10 @@ RewriteEngine on +# By default forward all requests to /ipa. If you don't want IPA +# to be the default on your web server comment this line out. You will +# need to modify ipa_webgui.cfg as well. +RewriteRule ^/$$ https://$FQDN/ipa [L,NC,R=301] + # Redirect to the fully-qualified hostname. Not redirecting to secure # port so configuration files can be retrieved without requiring SSL. RewriteCond %{HTTP_HOST} !^$FQDN$$ [NC] diff --git a/ipa-server/xmlrpc-server/ipa.conf b/ipa-server/xmlrpc-server/ipa.conf index 10c9b5ec2..c08282e3b 100644 --- a/ipa-server/xmlrpc-server/ipa.conf +++ b/ipa-server/xmlrpc-server/ipa.conf @@ -22,36 +22,27 @@ AddType application/java-archive jar Order deny,allow Allow from all - # We create a subrequest to find REMOTE_USER. Don't do this for every - # subrequest too (slow and huge logs result) - RewriteCond %{IS_SUBREQ}% false - RewriteRule .* - [E=RU:%{LA-U:REMOTE_USER}] - RequestHeader set X-Forwarded-User %{RU}e RequestHeader set X-Forwarded-Keytab %{KRB5CCNAME}e # RequestHeader unset Authorization </Proxy> # The URI's with a trailing ! are those that aren't handled by the proxy -ProxyPass /cgi-bin ! -ProxyPass /errors ! -ProxyPass /config ! -ProxyPass /ipa ! -#ProxyPass /ipatest ! -ProxyPass / http://localhost:8080/ -ProxyPassReverse /cgi-bin ! -ProxyPassReverse /errors ! -ProxyPassReverse /config ! -ProxyPassReverse /ipa ! -#ProxyPassReverse /ipatest ! -ProxyPassReverse / http://localhost:8080/ +ProxyPass /ipa http://localhost:8080/ipa +ProxyPassReverse /ipa http://localhost:8080/ipa # Configure the XML-RPC service +Alias /ipaxml "/usr/share/ipa/ipaserver/XMLRPC" -Alias /ipa "/usr/share/ipa/ipaserver/XMLRPC" +# This is where we redirect on failed auth Alias /errors "/usr/share/ipa/html" + +# For the MIT Windows config files Alias /config "/usr/share/ipa/html" +# So we don't have to hardcode a path into the CSS +Alias /static "/usr/share/ipa/ipagui/static" + <Directory "/usr/share/ipa/ipaserver"> AuthType Kerberos AuthName "Kerberos Login" |