# LoadModule auth_kerb_module modules/mod_auth_kerb.so

ProxyRequests Off

RewriteEngine on

# Redirect to the fully-qualified hostname. Not redirecting to secure
# port so configuration files can be retrieved without requiring SSL.
RewriteCond %{HTTP_HOST}    !^$FQDN$$ [NC]
RewriteRule ^/(.*)          http://$FQDN/$$1 [L,R=301]

# Redirect to the secure port if not displaying an error or retrieving
# configuration.
RewriteCond %{SERVER_PORT}  !^443$$
RewriteCond %{REQUEST_URI}  !^/(errors|config|favicon.ico)
RewriteRule ^/(.*)          https://$FQDN/$$1 [L,R=301,NC]

# This is required so the auto-configuration works with Firefox 2+
AddType application/java-archive        jar

<Proxy *>
  AuthType Kerberos
  AuthName "Kerberos Login"
  KrbMethodNegotiate on
  KrbMethodK5Passwd off
  KrbServiceName HTTP
  KrbAuthRealms $REALM
  Krb5KeyTab /etc/httpd/conf/ipa.keytab
  KrbSaveCredentials on
  Require valid-user
  ErrorDocument 401 /errors/unauthorized.html
  RewriteEngine on
  Order deny,allow
  Allow from all

  # We create a subrequest to find REMOTE_USER. Don't do this for every
  # subrequest too (slow and huge logs result)
  RewriteCond %{IS_SUBREQ}% false
  RewriteRule .* - [E=RU:%{LA-U:REMOTE_USER}]
  RequestHeader set X-Forwarded-User %{RU}e
  RequestHeader set X-Forwarded-Keytab %{KRB5CCNAME}e

  # RequestHeader unset Authorization
</Proxy>

# The URI's with a trailing ! are those that aren't handled by the proxy
ProxyPass /cgi-bin !
ProxyPass /errors !
ProxyPass /config !
ProxyPass /ipa !
#ProxyPass /ipatest !
ProxyPass / http://localhost:8080/
ProxyPassReverse /cgi-bin !
ProxyPassReverse /errors !
ProxyPassReverse /config !
ProxyPassReverse /ipa !
#ProxyPassReverse /ipatest !
ProxyPassReverse / http://localhost:8080/

# Configure the XML-RPC service

Alias /ipa "/usr/share/ipa/ipaserver/XMLRPC"
Alias /errors "/usr/share/ipa/html"
Alias /config "/usr/share/ipa/html"

<Directory "/usr/share/ipa/ipaserver">
  AuthType Kerberos
  AuthName "Kerberos Login"
  KrbMethodNegotiate on
  KrbMethodK5Passwd off
  KrbServiceName HTTP
  KrbAuthRealms $REALM
  Krb5KeyTab /etc/httpd/conf/ipa.keytab
  KrbSaveCredentials on
  Require valid-user
  ErrorDocument 401 /errors/unauthorized.html

  SetHandler mod_python
  PythonHandler ipaxmlrpc
  
  PythonDebug Off

  PythonOption IPADebug Off

  # this is pointless to use since it would just reload ipaxmlrpc.py
  PythonAutoReload Off
</Directory>

# Do no authentication on the directory that contains error messages
<Directory "/usr/share/ipa/html">
  AllowOverride None
  Satisfy Any
  Allow from all
</Directory>

# Protect our CGIs
<Directory /var/www/cgi-bin>
  AuthType Kerberos
  AuthName "Kerberos Login"
  KrbMethodNegotiate on
  KrbMethodK5Passwd off
  KrbServiceName HTTP
  KrbAuthRealms $REALM
  Krb5KeyTab /etc/httpd/conf/ipa.keytab
  KrbSaveCredentials on
  Require valid-user
  ErrorDocument 401 /errors/unauthorized.html
</Directory>

#Alias /ipatest "/usr/share/ipa/ipatest"

#<Directory "/usr/share/ipa/ipatest">
#  AuthType Kerberos
#  AuthName "Kerberos Login"
#  KrbMethodNegotiate on
#  KrbMethodK5Passwd off
#  KrbServiceName HTTP
#  KrbAuthRealms $REALM
#  Krb5KeyTab /etc/httpd/conf/ipa.keytab
#  KrbSaveCredentials on
#  Require valid-user
#  ErrorDocument 401 /errors/unauthorized.html
#
#  SetHandler mod_python
#  PythonHandler test_mod_python
#  
#  PythonDebug Off
#
#</Directory>