ipsilon.git, branch v0.2.3 Unnamed repository; edit this file 'description' to name the repository. Bump up release to 0.2.3 2014-05-10T14:01:31+00:00 Simo Sorce simo@redhat.com 2014-05-07T16:23:28+00:00 75217be7ecda2b597c54629647e7e200f7c76541 Signed-off-by: Simo Sorce <simo@redhat.com> 
Signed-off-by: Simo Sorce <simo@redhat.com>
Fix broken login plugins order config handling 2014-05-10T14:00:17+00:00 Nathan Kinder nkinder@redhat.com 2014-05-10T00:38:32+00:00 c950d7553e3f04a0fd5452afb705cf04e8f62a2b The administrative page for configuring login plugins order had a number of problems. The html template expects a list of plugin names to be supplied, but a list of the actual plugin objects was being supplied. This caused a 500 error since join() would throw an exception when it encounters something other than a string. Even after fixing the 500 error, actually modifying the plugin order would not work due to further issues with plugin objects being used when strings representing the plugin names are expected (and vice-versa). This patch ensures that strings representing plugin names are supplied to the html template, and that plugin objects are used when re-ordering the live plugin list. Resolves: https://fedorahosted.org/ipsilon/ticket/2 Signed-off-by: Nathan Kinder <nkinder@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> 
The administrative page for configuring login plugins order had
a number of problems.  The html template expects a list of plugin
names to be supplied,  but a list of the actual plugin objects
was being supplied.  This caused a 500 error since join() would
throw an exception when it encounters something other than a string.

Even after fixing the 500 error, actually modifying the plugin
order would not work due to further issues with plugin objects
being used when strings representing the plugin names are expected
(and vice-versa).

This patch ensures that strings representing plugin names are
supplied to the html template, and that plugin objects are used
when re-ordering the live plugin list.

Resolves: https://fedorahosted.org/ipsilon/ticket/2

Signed-off-by: Nathan Kinder <nkinder@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
WSGI settings incorrectly makes instance global 2014-05-10T13:57:28+00:00 Nathan Kinder nkinder@redhat.com 2014-05-09T23:16:11+00:00 513aa5d4dbb72b73a9d60c89080868c43dedc358 The WSGIProcessGroup directive should only apply to the /idp URI. Without wrapping this directive in the Location element, multiple Ipsilon instances or an Ipsilon instance installed on a FreeIPA server will conflict and encounter problems running in the same httpd process. All wsgi processes will end up redirected to the last process grup defined in the configuration in this case and all other instances of wsgi applications will be unreachable. Resolves: https://fedorahosted.org/ipsilon/ticket/1 Signed-off-by: Nathan Kinder <nkinder@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> 
The WSGIProcessGroup directive should only apply to the /idp URI.
Without wrapping this directive in the Location element, multiple
Ipsilon instances or an Ipsilon instance installed on a FreeIPA
server will conflict and encounter problems running in the same
httpd process. All wsgi processes will end up redirected to the
last process grup defined in the configuration in this case and
all other instances of wsgi applications will be unreachable.

Resolves: https://fedorahosted.org/ipsilon/ticket/1

Signed-off-by: Nathan Kinder <nkinder@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Add details on using a principal for the admin 2014-05-10T13:56:23+00:00 Nathan Kinder nkinder@redhat.com 2014-05-09T23:12:31+00:00 493384f04be7f5615a2344ca896028837bfaa3a4 When Ipsilon is being installed with IPA, one is most likely going to use Kerberos to login to Ipsilon as the administrator. We should call this out, as the default of 'admin' for the Ipsilon admin user will conflict with the IPA 'admin' user. You will be unable to create a local 'admin' user at this point, requiring you to modify the sqlite database directly to change the admin user to a full principal. I also corrected a typo and wrapped a line that was > 79 chars. Signed-off-by: Nathan Kinder <nkinder@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> 
When Ipsilon is being installed with IPA, one is most likely going
to use Kerberos to login to Ipsilon as the administrator.  We should
call this out, as the default of 'admin' for the Ipsilon admin user
will conflict with the IPA 'admin' user.  You will be unable to
create a local 'admin' user at this point, requiring you to modify
the sqlite database directly to change the admin user to a full
principal.

I also corrected a typo and wrapped a line that was > 79 chars.

Signed-off-by: Nathan Kinder <nkinder@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Add 500 Error handler for krb module 2014-05-07T14:00:35+00:00 Simo Sorce simo@redhat.com 2014-05-07T13:51:25+00:00 380b732e853b71d3a682a6189f8833c59b5e78d3 If mod_auth_kerb encounters an internal error, catch it so we can fall back to the next authentication module, if any, or return a proper failure message. Signed-off-by: Simo Sorce <simo@redhat.com> 
If mod_auth_kerb encounters an internal error, catch it so we can fall back to
the next authentication module, if any, or return a proper failure message.

Signed-off-by: Simo Sorce <simo@redhat.com>
Remind the user to restart HTTPD when done 2014-05-07T14:00:35+00:00 Simo Sorce simo@redhat.com 2014-05-07T13:47:20+00:00 0c7ff90e4380c2c690818b5a8079fdcfb61af389 On a successful install you need to retsart apache to enable the instance, remind the user that is necessary. Signed-off-by: Simo Sorce <simo@redhat.com> 
On a successful install you need to retsart apache to enable the instance,
remind the user that is necessary.

Signed-off-by: Simo Sorce <simo@redhat.com>
Give more user feedback around keytab issues 2014-05-07T14:00:25+00:00 Simo Sorce simo@redhat.com 2014-05-07T13:45:32+00:00 b93cf2d751e9c6078ee15d30a66d939bbe2f3b9f Signed-off-by: Simo Sorce <simo@redhat.com> 
Signed-off-by: Simo Sorce <simo@redhat.com>
Version bump, go to 0.2.2 2014-05-05T14:09:17+00:00 Simo Sorce simo@redhat.com 2014-05-02T00:52:50+00:00 6436e1f48f9c9914dedb72bd78b0dcfc2848951b Signed-off-by: Simo Sorce <simo@redhat.com> 
Signed-off-by: Simo Sorce <simo@redhat.com>
Add README file with basic installation HOWTO 2014-05-05T14:09:17+00:00 Simo Sorce simo@redhat.com 2014-05-02T00:50:17+00:00 5fbd0275bf0263e0bfb384a51dbe144c90c9f57b The HowTo cover the simplest scenarios for both the Identiry and Service Provider applications. Signed-off-by: Simo Sorce <simo@redhat.com> 
The HowTo cover the simplest scenarios for both the Identiry and
Service Provider applications.

Signed-off-by: Simo Sorce <simo@redhat.com>
Add IPA helper for server install 2014-05-02T01:05:47+00:00 Simo Sorce simo@redhat.com 2014-04-29T21:24:29+00:00 33d8af8c15d28a32c42f056546cf391b2cffa803 The IPa helper chcks a krb keytab is available for the local HTTPD service at the standard ipa location, and if not available, tries to register the sevice and retrieve one from the IPA server. At the end of the process forces the activation of the krb plugin as well as the fallback to pam for authentication. Signed-off-by: Simo Sorce <simo@redhat.com> 
The IPa helper chcks a krb keytab is available for the local HTTPD
service at the standard ipa location, and if not available, tries
to register the sevice and retrieve one from the IPA server.

At the end of the process forces the activation of the krb plugin
as well as the fallback to pam for authentication.

Signed-off-by: Simo Sorce <simo@redhat.com>