# LoadModule auth_kerb_module modules/mod_auth_kerb.so

# Require kerberos authentication for the entire server

<LocationMatch />
  AuthType Kerberos
  AuthName "Kerberos Login"
  KrbMethodNegotiate on
  KrbMethodK5Passwd off
  KrbServiceName HTTP
  KrbAuthRealms $REALM
  Krb5KeyTab /etc/httpd/conf/ipa.keytab
  KrbSaveCredentials on
  Require valid-user
  ErrorDocument 401 /errors/unauthorized.html
</LocationMatch>

ProxyRequests Off

<Proxy *>
  RewriteEngine on
  Order deny,allow
  Allow from all

  # We create a subrequest to find REMOTE_USER. Don't do this for every
  # subrequest too (slow and huge logs result)
  RewriteCond %{IS_SUBREQ}% false
  RewriteRule .* - [E=RU:%{LA-U:REMOTE_USER}]
  RequestHeader set X-Forwarded-User %{RU}e
  RequestHeader set X-Forwarded-Keytab %{KRB5CCNAME}e

  # RequestHeader unset Authorization
</Proxy>

# The URI's with a trailing ! are those that aren't handled by the proxy
ProxyPass /errors/ !
ProxyPass /ipa !
ProxyPass / http://localhost:8080/
ProxyPassReverse /errors !
ProxyPassReverse /ipa !
ProxyPassReverse / http://localhost:8080/

# Configure the XML-RPC service

Alias /ipa "/usr/share/ipa/ipaserver/XMLRPC"

<Directory "/usr/share/ipa/ipaserver">

  SetHandler mod_python
  PythonHandler ipaxmlrpc
  
  PythonDebug Off

  # this is pointless to use since it would just reload ipaxmlrpc.py
  PythonAutoReload Off
</Directory>