1 files changed, 55 insertions, 12 deletions

diff --git a/ipa-server/xmlrpc-server/ipa.conf b/ipa-server/xmlrpc-server/ipa.conf
index c66ef8f9..f1bc8da6 100644
--- a/ipa-server/xmlrpc-server/ipa.conf
+++ b/ipa-server/xmlrpc-server/ipa.conf
@@ -1,8 +1,8 @@
 # LoadModule auth_kerb_module modules/mod_auth_kerb.so
 
-# Require kerberos authentication for the entire server
+ProxyRequests Off
 
-<LocationMatch />
+<Proxy *>
   AuthType Kerberos
   AuthName "Kerberos Login"
   KrbMethodNegotiate on
@@ -13,11 +13,6 @@
   KrbSaveCredentials on
   Require valid-user
   ErrorDocument 401 /errors/unauthorized.html
-</LocationMatch>
-
-ProxyRequests Off
-
-<Proxy *>
   RewriteEngine on
   Order deny,allow
   Allow from all
@@ -33,35 +28,83 @@ ProxyRequests Off
 </Proxy>
 
 # The URI's with a trailing ! are those that aren't handled by the proxy
-ProxyPass /errors/ !
+ProxyPass /cgi-bin !
+ProxyPass /errors !
 ProxyPass /ipa !
+#ProxyPass /ipatest !
 ProxyPass / http://localhost:8080/
+ProxyPassReverse /cgi-bin !
 ProxyPassReverse /errors !
 ProxyPassReverse /ipa !
+#ProxyPassReverse /ipatest !
 ProxyPassReverse / http://localhost:8080/
 
 # Configure the XML-RPC service
 
 Alias /ipa "/usr/share/ipa/ipaserver/XMLRPC"
+Alias /errors "/usr/share/ipa/html"
 
 <Directory "/usr/share/ipa/ipaserver">
+  AuthType Kerberos
+  AuthName "Kerberos Login"
+  KrbMethodNegotiate on
+  KrbMethodK5Passwd off
+  KrbServiceName HTTP
+  KrbAuthRealms $REALM
+  Krb5KeyTab /etc/httpd/conf/ipa.keytab
+  KrbSaveCredentials on
+  Require valid-user
+  ErrorDocument 401 /errors/unauthorized.html
 
   SetHandler mod_python
   PythonHandler ipaxmlrpc
   
   PythonDebug Off
 
-  # Some IPA-specific configuration options
-  PythonOption IPADebug Off 
+  PythonOption IPADebug Off
 
   # this is pointless to use since it would just reload ipaxmlrpc.py
   PythonAutoReload Off
 </Directory>
 
-Alias /errors "/usr/share/ipa/html"
-
+# Do no authentication on the directory that contains error messages
 <Directory "/usr/share/ipa/html">
   AllowOverride None
   Satisfy Any
   Allow from all
 </Directory>
+
+# Protect our CGIs
+<Directory /var/www/cgi-bin>
+  AuthType Kerberos
+  AuthName "Kerberos Login"
+  KrbMethodNegotiate on
+  KrbMethodK5Passwd off
+  KrbServiceName HTTP
+  KrbAuthRealms $REALM
+  Krb5KeyTab /etc/httpd/conf/ipa.keytab
+  KrbSaveCredentials on
+  Require valid-user
+  ErrorDocument 401 /errors/unauthorized.html
+</Directory>
+
+#Alias /ipatest "/usr/share/ipa/ipaserver"
+
+#<Directory "/usr/share/ipa/ipaserver">
+#  AuthType Kerberos
+#  AuthName "Kerberos Login"
+#  KrbMethodNegotiate on
+#  KrbMethodK5Passwd off
+#  KrbServiceName HTTP
+#  KrbAuthRealms $REALM
+#  Krb5KeyTab /etc/httpd/conf/ipa.keytab
+#  KrbSaveCredentials on
+#  Require valid-user
+#  ErrorDocument 401 /errors/unauthorized.html
+#
+#  SetHandler mod_python
+#  PythonHandler test_mod_python
+#  
+#  PythonDebug Off
+#
+#</Directory>