diff options
| author | rcritten <devnull@localhost> | 2007-09-10 16:33:01 -0400 |
|---|---|---|
| committer | rcritten <devnull@localhost> | 2007-09-10 16:33:01 -0400 |
| commit | 182fbe30945a8de005f00b460968dca7973342fb (patch) | |
| tree | 644f8efd633cbb41a387fb33e3deab8de20718b5 /ipa-server/xmlrpc-server | |
| parent | 37d10e0c51dc289d815c05cd4d051e9d4120399e (diff) | |
| download | freeipa-182fbe30945a8de005f00b460968dca7973342fb.tar.gz freeipa-182fbe30945a8de005f00b460968dca7973342fb.tar.xz freeipa-182fbe30945a8de005f00b460968dca7973342fb.zip | |
Enable mod_proxy to sit in front of TurboGears and pass along the
kerberos principal name
Add an identity an visit class to TurboGears that can handle the user
without requiring a database
Update the UI to show the user correctly.
Note that this is currently disabled. It is hardcoded to always return the
principal test@FREEIPA.ORG in proxyprovider.py
It doesn't handle an unauthorized request because that can never happen.
Diffstat (limited to 'ipa-server/xmlrpc-server')
| -rw-r--r-- | ipa-server/xmlrpc-server/ipa.conf | 36 |
1 files changed, 34 insertions, 2 deletions
diff --git a/ipa-server/xmlrpc-server/ipa.conf b/ipa-server/xmlrpc-server/ipa.conf index b80c5c57f..30a7655a6 100644 --- a/ipa-server/xmlrpc-server/ipa.conf +++ b/ipa-server/xmlrpc-server/ipa.conf @@ -1,8 +1,8 @@ # LoadModule auth_kerb_module modules/mod_auth_kerb.so -Alias /ipa "/usr/share/ipa/ipaserver/XMLRPC" +# Require kerberos authentication for the entire server -<Directory "/usr/share/ipa/ipaserver"> +<LocationMatch /> AuthType Kerberos AuthName "Kerberos Login" KrbMethodNegotiate on @@ -13,6 +13,37 @@ Alias /ipa "/usr/share/ipa/ipaserver/XMLRPC" KrbSaveCredentials on Require valid-user ErrorDocument 401 /errors/unauthorized.html +</LocationMatch> + +ProxyRequests Off + +<Proxy *> + RewriteEngine on + Order deny,allow + Allow from all + + # We create a subrequest to find REMOTE_USER. Don't do this for every + # subrequest too (slow and huge logs result) + RewriteCond %{IS_SUBREQ}% false + RewriteRule .* - [E=RU:%{LA-U:REMOTE_USER}] + RequestHeader set X-Forwarded-User %{RU}e + + # RequestHeader unset Authorization +</Proxy> + +# The URI's with a trailing ! are those that aren't handled by the proxy +ProxyPass /errors/ ! +ProxyPass /ipa ! +ProxyPass / http://localhost:8080/ +ProxyPassReverse /errors ! +ProxyPassReverse /ipa ! +ProxyPassReverse / http://localhost:8080/ + +# Configure the XML-RPC service + +Alias /ipa "/usr/share/ipa/ipaserver/XMLRPC" + +<Directory "/usr/share/ipa/ipaserver"> SetHandler mod_python PythonHandler ipaxmlrpc @@ -22,3 +53,4 @@ Alias /ipa "/usr/share/ipa/ipaserver/XMLRPC" # this is pointless to use since it would just reload ipaxmlrpc.py PythonAutoReload Off </Directory> + |