summaryrefslogtreecommitdiffstats
path: root/install/conf/ipa.conf
blob: 89c9849ca6656ae3da585a72392d5d2463f4d892 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
#
# VERSION 4 - DO NOT REMOVE THIS LINE
#
# LoadModule auth_kerb_module modules/mod_auth_kerb.so

ProxyRequests Off


#We use xhtml, a file format that the browser validates
DirectoryIndex index.html



# ipa-rewrite.conf is loaded separately

# This is required so the auto-configuration works with Firefox 2+
AddType application/java-archive        jar


# FIXME: WSGISocketPrefix is a server-scope directive.  The mod_wsgi package
# should really be fixed by adding this its /etc/httpd/conf.d/wsgi.conf:
WSGISocketPrefix /var/run/httpd/wsgi


# Configure mod_wsgi handler for /ipa
WSGIDaemonProcess ipa processes=2 threads=1 maximum-requests=500
WSGIProcessGroup ipa
WSGIApplicationGroup ipa
WSGIImportScript /usr/share/ipa/wsgi.py process-group=ipa application-group=ipa
WSGIScriptAlias /ipa /usr/share/ipa/wsgi.py
WSGIScriptReloading Off


# Turn off mod_msgi handler for errors, config, crl:
<Location "/ipa/errors">
  SetHandler None
</Location>
<Location "/ipa/config">
  SetHandler None
</Location>
<Location "/ipa/crl">
  SetHandler None
</Location>

KrbConstrainedDelegationLock ipa

# Protect /ipa and everything below it in webspace with Apache Kerberos auth
<Location "/ipa">
  AuthType Kerberos
  AuthName "Kerberos Login"
  KrbMethodNegotiate on
  KrbMethodK5Passwd off
  KrbServiceName HTTP
  KrbAuthRealms $REALM
  Krb5KeyTab /etc/httpd/conf/ipa.keytab
  KrbSaveCredentials on
  KrbConstrainedDelegation on
  Require valid-user
  ErrorDocument 401 /ipa/errors/unauthorized.html
</Location>

# Turn off Apache authentication for sessions
<Location "/ipa/session/json">
  Satisfy Any
  Order Deny,Allow
  Allow from all
</Location>

<Location "/ipa/session/login_password">
  Satisfy Any
  Order Deny,Allow
  Allow from all
</Location>

# This is where we redirect on failed auth
Alias /ipa/errors "/usr/share/ipa/html"

# For the MIT Windows config files
Alias /ipa/config "/usr/share/ipa/html"

# Do no authentication on the directory that contains error messages
<Directory "/usr/share/ipa/html">
  SetHandler None
  AllowOverride None
  Satisfy Any
  Allow from all
</Directory>


# For CRL publishing
Alias /ipa/crl "/var/lib/pki-ca/publish"
<Directory "/var/lib/pki-ca/publish">
  SetHandler None
  AllowOverride None
  Options Indexes FollowSymLinks
  Satisfy Any
  Allow from all
</Directory>


#  webUI  is now completely static, and served out of that directory
Alias /ipa/ui "/usr/share/ipa/ui"
<Directory "/usr/share/ipa/ui">
  SetHandler None
  AllowOverride None
  Satisfy Any
  Allow from all
</Directory>



# Protect our CGIs
<Directory /var/www/cgi-bin>
  AuthType Kerberos
  AuthName "Kerberos Login"
  KrbMethodNegotiate on
  KrbMethodK5Passwd off
  KrbServiceName HTTP
  KrbAuthRealms $REALM
  Krb5KeyTab /etc/httpd/conf/ipa.keytab
  KrbSaveCredentials on
  Require valid-user
  ErrorDocument 401 /ipa/errors/unauthorized.html
</Directory>


# migration related pages
Alias /ipa/migration "/usr/share/ipa/migration"
<Directory "/usr/share/ipa/migration">
    AllowOverride None
    Satisfy Any
    Allow from all
    Options ExecCGI
    AddHandler wsgi-script .py
</Directory>