diff options
author | Christian Heimes <cheimes@redhat.com> | 2015-06-23 17:01:00 +0200 |
---|---|---|
committer | Petr Vobornik <pvoborni@redhat.com> | 2015-06-24 10:43:58 +0200 |
commit | 495da412f155603c02907187c21dd4511281df2c (patch) | |
tree | 8bc25d341bfdfb48673fbc24ba3f538ef87b6d41 /freeipa.spec.in | |
parent | 49d708f00fd13903dbd96193aac2c608e3512398 (diff) | |
download | freeipa-495da412f155603c02907187c21dd4511281df2c.tar.gz freeipa-495da412f155603c02907187c21dd4511281df2c.tar.xz freeipa-495da412f155603c02907187c21dd4511281df2c.zip |
Provide Kerberos over HTTP (MS-KKDCP)
Add integration of python-kdcproxy into FreeIPA to support the MS
Kerberos KDC proxy protocol (MS-KKDCP), to allow KDC and KPASSWD
client requests over HTTP and HTTPS.
- freeipa-server now depends on python-kdcproxy >= 0.3. All kdcproxy
dependencies are already satisfied.
- The service's state is configured in cn=KDC,cn=$FQDN,cn=masters,cn=ipa,
cn=etc,$SUFFIX. It's enabled, when ipaConfigString=kdcProxyEnabled is
present.
- The installers and update create a new Apache config file
/etc/ipa/kdcproxy/ipa-kdc-proxy.conf that mounts a WSGI app on
/KdcProxy. The app is run inside its own WSGI daemon group with
a different uid and gid than the webui.
- A ExecStartPre script in httpd.service symlinks the config file to
/etc/httpd/conf.d/ iff ipaConfigString=kdcProxyEnabled is present.
- The httpd.service also sets KDCPROXY_CONFIG=/etc/ipa/kdcproxy.conf,
so that an existing config is not used. SetEnv from Apache config does
not work here, because it doesn't set an OS env var.
- python-kdcproxy is configured to *not* use DNS SRV lookups. The
location of KDC and KPASSWD servers are read from /etc/krb5.conf.
- The state of the service can be modified with two ldif files for
ipa-ldap-updater. No CLI script is offered yet.
https://www.freeipa.org/page/V4/KDC_Proxy
https://fedorahosted.org/freeipa/ticket/4801
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Diffstat (limited to 'freeipa.spec.in')
-rw-r--r-- | freeipa.spec.in | 25 |
1 files changed, 25 insertions, 0 deletions
diff --git a/freeipa.spec.in b/freeipa.spec.in index 809ac1e5b..caacf4bda 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -22,6 +22,10 @@ %define _hardened_build 1 +%define kdcproxy_user kdcproxy +%define kdcproxy_group kdcproxy +%define kdcproxy_home %{_sharedstatedir}/kdcproxy + Name: freeipa Version: __VERSION__ Release: __RELEASE__%{?dist} @@ -95,6 +99,7 @@ BuildRequires: p11-kit-devel BuildRequires: pki-base >= 10.2.4-1 BuildRequires: python-pytest-multihost >= 0.5 BuildRequires: python-pytest-sourceorder +BuildRequires: python-kdcproxy >= 0.3 %description IPA is an integrated solution to provide centrally managed Identity (machine, @@ -130,6 +135,7 @@ Requires: memcached Requires: python-memcached Requires: dbus-python Requires: systemd-units >= 38 +Requires(pre): shadow-utils Requires(pre): systemd-units Requires(post): systemd-units Requires: selinux-policy >= %{selinux_policy_version} @@ -140,6 +146,7 @@ Requires: pki-kra >= 10.2.4-1 Requires(preun): python systemd-units Requires(postun): python systemd-units Requires: python-dns >= 1.11.1 +Requires: python-kdcproxy >= 0.3 Requires: zip Requires: policycoreutils >= 2.1.12-5 Requires: tar @@ -429,6 +436,7 @@ ln -s ../../../..%{_sysconfdir}/ipa/html/browserconfig.html \ # So we can own our Apache configuration mkdir -p %{buildroot}%{_sysconfdir}/httpd/conf.d/ /bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa.conf +/bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-kdc-proxy.conf /bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-pki-proxy.conf /bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf mkdir -p %{buildroot}%{_usr}/share/ipa/html/ @@ -458,6 +466,10 @@ install daemons/dnssec/ipa-ods-exporter %{buildroot}%{_libexecdir}/ipa/ipa-ods-e # Web UI plugin dir mkdir -p %{buildroot}%{_usr}/share/ipa/ui/js/plugins +# KDC proxy config (Apache config sets KDCPROXY_CONFIG to load this file) +mkdir -p %{buildroot}%{_sysconfdir}/ipa/kdcproxy/ +install -m 644 install/share/kdcproxy.conf %{buildroot}%{_sysconfdir}/ipa/kdcproxy/kdcproxy.conf + # NOTE: systemd specific section mkdir -p %{buildroot}%{_tmpfilesdir} install -m 0644 init/systemd/ipa.conf.tmpfiles %{buildroot}%{_tmpfilesdir}/%{name}.conf @@ -551,6 +563,13 @@ if [ -e /usr/sbin/ipa_kpasswd ]; then # END fi +# create kdcproxy user +getent group %{kdcproxy_group} >/dev/null || groupadd -r %{kdcproxy_group} +getent passwd %{kdcproxy_user} >/dev/null || \ + /usr/sbin/useradd -r -m -c "IPA KDC Proxy User" -s /sbin/nologin \ + -g %{kdcproxy_group} -d %{kdcproxy_home} %{kdcproxy_user} +exit 0 + %postun server-trust-ad if [ "$1" -ge "1" ]; then if [ "`readlink %{_sysconfdir}/alternatives/winbind_krb5_locator.so`" == "/dev/null" ]; then @@ -683,9 +702,11 @@ fi %{_libexecdir}/ipa/ipa-dnskeysyncd %{_libexecdir}/ipa/ipa-dnskeysync-replica %{_libexecdir}/ipa/ipa-ods-exporter +%{_libexecdir}/ipa/ipa-httpd-kdcproxy %config(noreplace) %{_sysconfdir}/sysconfig/ipa_memcached %config(noreplace) %{_sysconfdir}/sysconfig/ipa-dnskeysyncd %config(noreplace) %{_sysconfdir}/sysconfig/ipa-ods-exporter +%config(noreplace) %{_sysconfdir}/ipa/kdcproxy/kdcproxy.conf %dir %attr(0700,apache,apache) %{_localstatedir}/run/ipa_memcached/ %dir %attr(0700,root,root) %{_localstatedir}/run/ipa/ %dir %attr(0700,apache,apache) %{_localstatedir}/run/httpd/ipa/ @@ -777,10 +798,13 @@ fi %config(noreplace) %{_sysconfdir}/ipa/html/browserconfig.html %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa.conf +%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-kdc-proxy.conf %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-pki-proxy.conf +%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/kdcproxy/ipa-kdc-proxy.conf %{_usr}/share/ipa/ipa.conf %{_usr}/share/ipa/ipa-rewrite.conf %{_usr}/share/ipa/ipa-pki-proxy.conf +%{_usr}/share/ipa/kdcproxy.conf %ghost %attr(0644,root,apache) %config(noreplace) %{_usr}/share/ipa/html/ca.crt %ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/configure.jar %ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/kerberosauth.xpi @@ -903,6 +927,7 @@ fi %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt %dir %attr(0755,root,root) %{_sysconfdir}/ipa/nssdb %dir %attr(0755,root,root) %{_sysconfdir}/ipa/dnssec +%dir %attr(0755,root,root) %{_sysconfdir}/ipa/kdcproxy %ghost %config(noreplace) %{_sysconfdir}/ipa/nssdb/cert8.db %ghost %config(noreplace) %{_sysconfdir}/ipa/nssdb/key3.db %ghost %config(noreplace) %{_sysconfdir}/ipa/nssdb/secmod.db |