Re-root the IPA web UI to /ipa and the XML-RPC interface to /ipaxml.

438021

5 files changed, 33 insertions, 30 deletions

diff --git a/ipa-server/ipa-gui/ipa_webgui.cfg b/ipa-server/ipa-gui/ipa_webgui.cfg
index e785f34ee..62d251cf3 100644
--- a/ipa-server/ipa-gui/ipa_webgui.cfg
+++ b/ipa-server/ipa-gui/ipa_webgui.cfg
@@ -29,7 +29,7 @@ server.thread_pool = 10
 
 # if this is part of a larger site, you can set the path
 # to the TurboGears instance here
-# server.webpath=""
+server.webpath="/ipa"
 
 # Set to True if you are deploying your App behind a proxy
 # e.g. Apache using mod_proxy
@@ -58,7 +58,7 @@ session_filter.storage_path='/var/cache/ipa/sessions'
 
 # Listen only on the local interface so all requests go through
 # Apache/mod_auth_kerb/mod_proxy.
-server.server_port = 8080
+server.socket_port = 8080
 server.socket_host="127.0.0.1"
 
 # LOGGING
diff --git a/ipa-server/ipa-gui/ipagui/proxyprovider.py b/ipa-server/ipa-gui/ipagui/proxyprovider.py
index 5a145de14..5299091d2 100644
--- a/ipa-server/ipa-gui/ipagui/proxyprovider.py
+++ b/ipa-server/ipa-gui/ipagui/proxyprovider.py
@@ -25,6 +25,7 @@ import ipa.config
 import ipa.group
 import ipa.user
 import ldap
+import krbV
 
 log = logging.getLogger("turbogears.identity")
 
@@ -132,7 +133,7 @@ class ProxyIdentityProvider(SqlObjectIdentityProvider):
             user = IPA_User(user_name)
             log.debug( "validate_identity %s" % user_name)
             return ProxyIdentity(visit_key, user)
-        except:
+        except Exception, e:
             # Something went wrong in fetching the user. Set to
             # anonymous which will deny access.
             return ProxyIdentity( None )
@@ -143,12 +144,18 @@ class ProxyIdentityProvider(SqlObjectIdentityProvider):
 
     def load_identity(self, visit_key):
         try:
-            user_name= cherrypy.request.headers['X-FORWARDED-USER']
             os.environ["KRB5CCNAME"] = cherrypy.request.headers['X-FORWARDED-KEYTAB']
-#             user_name = "test@FREEIPA.ORG"
-#             os.environ["KRB5CCNAME"] = "FILE:/tmp/krb5cc_500"
+            ccache = krbV.CCache(cherrypy.request.headers['X-FORWARDED-KEYTAB'])
+            user_name = ccache.principal().name
+#            user_name = "test@FREEIPA.ORG"
+#            os.environ["KRB5CCNAME"] = "FILE:/tmp/krb5cc_500"
         except KeyError:
             return None
+        except AttributeError:
+            return None
+        except krbV.Krb5Error:
+            return None
+
         set_login_attempted( True )
         return self.validate_identity( user_name, None, visit_key )
 
diff --git a/ipa-server/ipa-gui/ipagui/templates/master.kid b/ipa-server/ipa-gui/ipagui/templates/master.kid
index d8b341428..ac850178a 100644
--- a/ipa-server/ipa-gui/ipagui/templates/master.kid
+++ b/ipa-server/ipa-gui/ipagui/templates/master.kid
@@ -24,13 +24,13 @@
     <title py:replace="''">Your title goes here</title>
     <meta py:replace="item[:]"/>
     <style type="text/css" media="all">
-    @import "${tg.url('/static/css/style_platform.css')}";
-    @import "${tg.url('/static/css/style_platform-objects.css')}";
-    @import "${tg.url('/static/css/style_freeipa.css')}";
+    @import "/static/css/style_platform.css";
+    @import "/static/css/style_platform-objects.css";
+    @import "/static/css/style_freeipa.css";
     </style>
-    <script type="text/javascript" charset="utf-8" src="${tg.url('/static/javascript/prototype.js')}"></script>
-    <script type="text/javascript" charset="utf-8" src="${tg.url('/static/javascript/scriptaculous.js?load=effects')}"></script>
-    <script type="text/javascript" charset="utf-8" src="${tg.url('/static/javascript/ipautil.js')}"></script>
+    <script type="text/javascript" charset="utf-8" src="/static/javascript/prototype.js"></script>
+    <script type="text/javascript" charset="utf-8" src="/static/javascript/scriptaculous.js?load=effects"></script>
+    <script type="text/javascript" charset="utf-8" src="/static/javascript/ipautil.js"></script>
 </head>
 
 <body py:match="item.tag=='{http://www.w3.org/1999/xhtml}body'" py:attrs="item.items()">
diff --git a/ipa-server/xmlrpc-server/ipa-rewrite.conf b/ipa-server/xmlrpc-server/ipa-rewrite.conf
index 977be7398..af3a3afe2 100644
--- a/ipa-server/xmlrpc-server/ipa-rewrite.conf
+++ b/ipa-server/xmlrpc-server/ipa-rewrite.conf
@@ -1,5 +1,10 @@
 RewriteEngine on
 
+# By default forward all requests to /ipa. If you don't want IPA
+# to be the default on your web server comment this line out. You will
+# need to modify ipa_webgui.cfg as well.
+RewriteRule ^/$$ https://$FQDN/ipa [L,NC,R=301]
+
 # Redirect to the fully-qualified hostname. Not redirecting to secure
 # port so configuration files can be retrieved without requiring SSL.
 RewriteCond %{HTTP_HOST}    !^$FQDN$$ [NC]
diff --git a/ipa-server/xmlrpc-server/ipa.conf b/ipa-server/xmlrpc-server/ipa.conf
index 10c9b5ec2..c08282e3b 100644
--- a/ipa-server/xmlrpc-server/ipa.conf
+++ b/ipa-server/xmlrpc-server/ipa.conf
@@ -22,36 +22,27 @@ AddType application/java-archive        jar
   Order deny,allow
   Allow from all
 
-  # We create a subrequest to find REMOTE_USER. Don't do this for every
-  # subrequest too (slow and huge logs result)
-  RewriteCond %{IS_SUBREQ}% false
-  RewriteRule .* - [E=RU:%{LA-U:REMOTE_USER}]
-  RequestHeader set X-Forwarded-User %{RU}e
   RequestHeader set X-Forwarded-Keytab %{KRB5CCNAME}e
 
   # RequestHeader unset Authorization
 </Proxy>
 
 # The URI's with a trailing ! are those that aren't handled by the proxy
-ProxyPass /cgi-bin !
-ProxyPass /errors !
-ProxyPass /config !
-ProxyPass /ipa !
-#ProxyPass /ipatest !
-ProxyPass / http://localhost:8080/
-ProxyPassReverse /cgi-bin !
-ProxyPassReverse /errors !
-ProxyPassReverse /config !
-ProxyPassReverse /ipa !
-#ProxyPassReverse /ipatest !
-ProxyPassReverse / http://localhost:8080/
+ProxyPass /ipa http://localhost:8080/ipa
+ProxyPassReverse /ipa http://localhost:8080/ipa
 
 # Configure the XML-RPC service
+Alias /ipaxml "/usr/share/ipa/ipaserver/XMLRPC"
 
-Alias /ipa "/usr/share/ipa/ipaserver/XMLRPC"
+# This is where we redirect on failed auth
 Alias /errors "/usr/share/ipa/html"
+
+# For the MIT Windows config files
 Alias /config "/usr/share/ipa/html"
 
+# So we don't have to hardcode a path into the CSS
+Alias /static "/usr/share/ipa/ipagui/static"
+
 <Directory "/usr/share/ipa/ipaserver">
   AuthType Kerberos
   AuthName "Kerberos Login"