diff options
author | rcritten@redhat.com <rcritten@redhat.com> | 2007-09-25 08:37:45 -0400 |
---|---|---|
committer | rcritten@redhat.com <rcritten@redhat.com> | 2007-09-25 08:37:45 -0400 |
commit | 0b65e95b57fca32bb37c2fc85b87983eec0a4d24 (patch) | |
tree | 76b5d1b0ac3ff88b56be388e3bc55fb5e2ec3b2c /ipa-server/xmlrpc-server/test/README | |
parent | fddae7a8a29ec2f06b7453b7e38b7b2fdbbd9eae (diff) | |
download | freeipa-0b65e95b57fca32bb37c2fc85b87983eec0a4d24.tar.gz freeipa-0b65e95b57fca32bb37c2fc85b87983eec0a4d24.tar.xz freeipa-0b65e95b57fca32bb37c2fc85b87983eec0a4d24.zip |
Make doing basic testing of Kerberos ticket forwarding and system setup
easier.
Diffstat (limited to 'ipa-server/xmlrpc-server/test/README')
-rw-r--r-- | ipa-server/xmlrpc-server/test/README | 53 |
1 files changed, 53 insertions, 0 deletions
diff --git a/ipa-server/xmlrpc-server/test/README b/ipa-server/xmlrpc-server/test/README new file mode 100644 index 000000000..681622162 --- /dev/null +++ b/ipa-server/xmlrpc-server/test/README @@ -0,0 +1,53 @@ +Diagnosing Kerberos credentials cache problems is difficult. + +The first thing to try is to set LogLevel to debug in +/etc/httpd/conf/httpd.conf and restart Apache. + +Look in /var/log/httpd/error_log for any problems. + +Also check out /var/log/krb5kdc.log + +To simplify things and test just Kerberos ticket forwarding: + +The first test is with a CGI: + +- copy test.py /var/www/cgi-bin +- chmod +x /var/www/cgi-bin/test.py +- kinit admin (or some other existing user) +- curl -u : --negotiate http://yourhost.fqdn/cgi-bin/test.py + +For yourhost.fqdn use the fully-qualified hostname of your webserver. + +The output should look something like: + +KRB5CCNAME is FILE:/tmp/krb5cc_apache_TiMAbq +Sucessfully bound to LDAP using SASL mechanism GSSAPI + +This CGI uses the forwarded credentials to make an authenticated LDAP +connection. If this fails it means that Apache is not properly storing +the kerberos credentials. + +If that works, the second test more closely models the way that IPA works. + +- copy test_mod_python.py /usr/share/ipa/ipaserver +- uncomment the entries for ipatest in /etc/httpd/conf.d/ipa.conf. There are + entries for ProxyPass and ProxyReversePass, an Alias and a Directory +- restart Apache +- curl -u : --negotiate http://yourhost.fqdn/ipatest/ + +For yourhost.fqdn use the fully-qualified hostname of your webserver. + +The output should look something like: + +KRB5CCNAME: FILE:/tmp/krb5cc_apache_c0MU9o<br> +GATEWAY_INTERFACE: CGI/1.1<br> +... +SCRIPT_FILENAME: /usr/share/ipa/ipaserver/<br> +REMOTE_PORT: 45691<br> +REMOTE_USER: rcrit@GREYOAK.COM<br> +AUTH_TYPE: Negotiate<br> +KRB5CCNAME is FILE:/tmp/krb5cc_apache_c0MU9o<br> +Sucessfully bound to LDAP using SASL mechanism GSSAPI<br> + +It should print all of the environment variables available to mod_python +and do a GSSAPI LDAP connection. |