diff options
| author | John Dennis <jdennis@redhat.com> | 2012-02-25 13:39:19 -0500 |
|---|---|---|
| committer | Rob Crittenden <rcritten@redhat.com> | 2012-02-27 05:57:43 -0500 |
| commit | ee780df13c99a5465cd6df965772260c297a5eb2 (patch) | |
| tree | 8f215388e7642ca590aa7d0c432f7591653843df /install | |
| parent | 059a90702e454b99490031bd37541304e65d35d2 (diff) | |
| download | freeipa-ee780df13c99a5465cd6df965772260c297a5eb2.tar.gz freeipa-ee780df13c99a5465cd6df965772260c297a5eb2.tar.xz freeipa-ee780df13c99a5465cd6df965772260c297a5eb2.zip | |
Implement password based session login
* Adjust URL's
- rename /ipa/login -> /ipa/session/login_kerberos
- add /ipa/session/login_password
* Adjust Kerberos protection on URL's in ipa.conf
* Bump VERSION in httpd ipa.conf to pick up session changes.
* Adjust login URL in ipa.js
* Add InvalidSessionPassword to errors.py
* Rename krblogin class to login_kerberos for consistency with
new login_password class
* Implement login_password.kinit() method which invokes
/usr/bin/kinit as a subprocess
* Add login_password class for WSGI dispatch, accepts POST
application/x-www-form-urlencoded user & password
parameters. We form the Kerberos principal from the server's
realm.
* Add function krb5_unparse_ccache()
* Refactor code to share common code
* Clean up use of ccache names, be consistent
* Replace read_krbccache_file(), store_krbccache_file(), delete_krbccache_file()
with load_ccache_data(), bind_ipa_ccache(), release_ipa_ccache().
bind_ipa_ccache() now sets environment KRB5CCNAME variable.
release_ipa_ccache() now clears environment KRB5CCNAME variable.
* ccache names should now support any ccache storage scheme,
not just FILE based ccaches
* Add utilies to return HTTP status from wsgi handlers,
use constants for HTTP status code for consistency.
Use utilies for returning from wsgi handlers rather than
duplicated code.
* Add KerberosSession.finalize_kerberos_acquisition() method
so different login handlers can share common code.
* add Requires: krb5-workstation to server (server now calls kinit)
* Fix test_rpcserver.py to use new dispatch inside route() method
https://fedorahosted.org/freeipa/ticket/2095
Diffstat (limited to 'install')
| -rw-r--r-- | install/conf/ipa.conf | 10 | ||||
| -rw-r--r-- | install/ui/ipa.js | 2 |
2 files changed, 9 insertions, 3 deletions
diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf index cd806be7d..89c9849ca 100644 --- a/install/conf/ipa.conf +++ b/install/conf/ipa.conf @@ -1,5 +1,5 @@ # -# VERSION 3 - DO NOT REMOVE THIS LINE +# VERSION 4 - DO NOT REMOVE THIS LINE # # LoadModule auth_kerb_module modules/mod_auth_kerb.so @@ -60,7 +60,13 @@ KrbConstrainedDelegationLock ipa </Location> # Turn off Apache authentication for sessions -<Location "/ipa/session"> +<Location "/ipa/session/json"> + Satisfy Any + Order Deny,Allow + Allow from all +</Location> + +<Location "/ipa/session/login_password"> Satisfy Any Order Deny,Allow Allow from all diff --git a/install/ui/ipa.js b/install/ui/ipa.js index a599f6a8c..433d7fe6d 100644 --- a/install/ui/ipa.js +++ b/install/ui/ipa.js @@ -60,7 +60,7 @@ var IPA = function() { // if current path matches live server path, use live data if (that.url && window.location.pathname.substring(0, that.url.length) === that.url) { that.json_url = params.url || '/ipa/session/json'; - that.login_url = params.url || '/ipa/login'; + that.login_url = params.url || '/ipa/session/login_kerberos'; } else { // otherwise use fixtures that.json_path = params.url || "test/data"; |