summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--ipa-python/rpcclient.py2
-rw-r--r--ipa-server/ipa-gui/ipa_webgui.cfg4
-rw-r--r--ipa-server/ipa-gui/ipagui/proxyprovider.py15
-rw-r--r--ipa-server/ipa-gui/ipagui/templates/master.kid12
-rw-r--r--ipa-server/xmlrpc-server/ipa-rewrite.conf5
-rw-r--r--ipa-server/xmlrpc-server/ipa.conf27
6 files changed, 34 insertions, 31 deletions
diff --git a/ipa-python/rpcclient.py b/ipa-python/rpcclient.py
index c3835568f..7fa075b1d 100644
--- a/ipa-python/rpcclient.py
+++ b/ipa-python/rpcclient.py
@@ -37,7 +37,7 @@ class RPCClient:
def server_url(self, server):
"""Build the XML-RPC server URL from our configuration"""
- return "https://" + server + "/ipa"
+ return "https://" + server + "/ipaxml"
def setup_server(self):
"""Create our XML-RPC server connection using kerberos
diff --git a/ipa-server/ipa-gui/ipa_webgui.cfg b/ipa-server/ipa-gui/ipa_webgui.cfg
index e785f34ee..62d251cf3 100644
--- a/ipa-server/ipa-gui/ipa_webgui.cfg
+++ b/ipa-server/ipa-gui/ipa_webgui.cfg
@@ -29,7 +29,7 @@ server.thread_pool = 10
# if this is part of a larger site, you can set the path
# to the TurboGears instance here
-# server.webpath=""
+server.webpath="/ipa"
# Set to True if you are deploying your App behind a proxy
# e.g. Apache using mod_proxy
@@ -58,7 +58,7 @@ session_filter.storage_path='/var/cache/ipa/sessions'
# Listen only on the local interface so all requests go through
# Apache/mod_auth_kerb/mod_proxy.
-server.server_port = 8080
+server.socket_port = 8080
server.socket_host="127.0.0.1"
# LOGGING
diff --git a/ipa-server/ipa-gui/ipagui/proxyprovider.py b/ipa-server/ipa-gui/ipagui/proxyprovider.py
index 5a145de14..5299091d2 100644
--- a/ipa-server/ipa-gui/ipagui/proxyprovider.py
+++ b/ipa-server/ipa-gui/ipagui/proxyprovider.py
@@ -25,6 +25,7 @@ import ipa.config
import ipa.group
import ipa.user
import ldap
+import krbV
log = logging.getLogger("turbogears.identity")
@@ -132,7 +133,7 @@ class ProxyIdentityProvider(SqlObjectIdentityProvider):
user = IPA_User(user_name)
log.debug( "validate_identity %s" % user_name)
return ProxyIdentity(visit_key, user)
- except:
+ except Exception, e:
# Something went wrong in fetching the user. Set to
# anonymous which will deny access.
return ProxyIdentity( None )
@@ -143,12 +144,18 @@ class ProxyIdentityProvider(SqlObjectIdentityProvider):
def load_identity(self, visit_key):
try:
- user_name= cherrypy.request.headers['X-FORWARDED-USER']
os.environ["KRB5CCNAME"] = cherrypy.request.headers['X-FORWARDED-KEYTAB']
-# user_name = "test@FREEIPA.ORG"
-# os.environ["KRB5CCNAME"] = "FILE:/tmp/krb5cc_500"
+ ccache = krbV.CCache(cherrypy.request.headers['X-FORWARDED-KEYTAB'])
+ user_name = ccache.principal().name
+# user_name = "test@FREEIPA.ORG"
+# os.environ["KRB5CCNAME"] = "FILE:/tmp/krb5cc_500"
except KeyError:
return None
+ except AttributeError:
+ return None
+ except krbV.Krb5Error:
+ return None
+
set_login_attempted( True )
return self.validate_identity( user_name, None, visit_key )
diff --git a/ipa-server/ipa-gui/ipagui/templates/master.kid b/ipa-server/ipa-gui/ipagui/templates/master.kid
index d8b341428..ac850178a 100644
--- a/ipa-server/ipa-gui/ipagui/templates/master.kid
+++ b/ipa-server/ipa-gui/ipagui/templates/master.kid
@@ -24,13 +24,13 @@
<title py:replace="''">Your title goes here</title>
<meta py:replace="item[:]"/>
<style type="text/css" media="all">
- @import "${tg.url('/static/css/style_platform.css')}";
- @import "${tg.url('/static/css/style_platform-objects.css')}";
- @import "${tg.url('/static/css/style_freeipa.css')}";
+ @import "/static/css/style_platform.css";
+ @import "/static/css/style_platform-objects.css";
+ @import "/static/css/style_freeipa.css";
</style>
- <script type="text/javascript" charset="utf-8" src="${tg.url('/static/javascript/prototype.js')}"></script>
- <script type="text/javascript" charset="utf-8" src="${tg.url('/static/javascript/scriptaculous.js?load=effects')}"></script>
- <script type="text/javascript" charset="utf-8" src="${tg.url('/static/javascript/ipautil.js')}"></script>
+ <script type="text/javascript" charset="utf-8" src="/static/javascript/prototype.js"></script>
+ <script type="text/javascript" charset="utf-8" src="/static/javascript/scriptaculous.js?load=effects"></script>
+ <script type="text/javascript" charset="utf-8" src="/static/javascript/ipautil.js"></script>
</head>
<body py:match="item.tag=='{http://www.w3.org/1999/xhtml}body'" py:attrs="item.items()">
diff --git a/ipa-server/xmlrpc-server/ipa-rewrite.conf b/ipa-server/xmlrpc-server/ipa-rewrite.conf
index 977be7398..af3a3afe2 100644
--- a/ipa-server/xmlrpc-server/ipa-rewrite.conf
+++ b/ipa-server/xmlrpc-server/ipa-rewrite.conf
@@ -1,5 +1,10 @@
RewriteEngine on
+# By default forward all requests to /ipa. If you don't want IPA
+# to be the default on your web server comment this line out. You will
+# need to modify ipa_webgui.cfg as well.
+RewriteRule ^/$$ https://$FQDN/ipa [L,NC,R=301]
+
# Redirect to the fully-qualified hostname. Not redirecting to secure
# port so configuration files can be retrieved without requiring SSL.
RewriteCond %{HTTP_HOST} !^$FQDN$$ [NC]
diff --git a/ipa-server/xmlrpc-server/ipa.conf b/ipa-server/xmlrpc-server/ipa.conf
index 10c9b5ec2..c08282e3b 100644
--- a/ipa-server/xmlrpc-server/ipa.conf
+++ b/ipa-server/xmlrpc-server/ipa.conf
@@ -22,36 +22,27 @@ AddType application/java-archive jar
Order deny,allow
Allow from all
- # We create a subrequest to find REMOTE_USER. Don't do this for every
- # subrequest too (slow and huge logs result)
- RewriteCond %{IS_SUBREQ}% false
- RewriteRule .* - [E=RU:%{LA-U:REMOTE_USER}]
- RequestHeader set X-Forwarded-User %{RU}e
RequestHeader set X-Forwarded-Keytab %{KRB5CCNAME}e
# RequestHeader unset Authorization
</Proxy>
# The URI's with a trailing ! are those that aren't handled by the proxy
-ProxyPass /cgi-bin !
-ProxyPass /errors !
-ProxyPass /config !
-ProxyPass /ipa !
-#ProxyPass /ipatest !
-ProxyPass / http://localhost:8080/
-ProxyPassReverse /cgi-bin !
-ProxyPassReverse /errors !
-ProxyPassReverse /config !
-ProxyPassReverse /ipa !
-#ProxyPassReverse /ipatest !
-ProxyPassReverse / http://localhost:8080/
+ProxyPass /ipa http://localhost:8080/ipa
+ProxyPassReverse /ipa http://localhost:8080/ipa
# Configure the XML-RPC service
+Alias /ipaxml "/usr/share/ipa/ipaserver/XMLRPC"
-Alias /ipa "/usr/share/ipa/ipaserver/XMLRPC"
+# This is where we redirect on failed auth
Alias /errors "/usr/share/ipa/html"
+
+# For the MIT Windows config files
Alias /config "/usr/share/ipa/html"
+# So we don't have to hardcode a path into the CSS
+Alias /static "/usr/share/ipa/ipagui/static"
+
<Directory "/usr/share/ipa/ipaserver">
AuthType Kerberos
AuthName "Kerberos Login"