From 182fbe30945a8de005f00b460968dca7973342fb Mon Sep 17 00:00:00 2001 From: rcritten Date: Mon, 10 Sep 2007 16:33:01 -0400 Subject: Enable mod_proxy to sit in front of TurboGears and pass along the kerberos principal name Add an identity an visit class to TurboGears that can handle the user without requiring a database Update the UI to show the user correctly. Note that this is currently disabled. It is hardcoded to always return the principal test@FREEIPA.ORG in proxyprovider.py It doesn't handle an unauthorized request because that can never happen. --- ipa-server/xmlrpc-server/ipa.conf | 36 ++++++++++++++++++++++++++++++++++-- 1 file changed, 34 insertions(+), 2 deletions(-) (limited to 'ipa-server/xmlrpc-server') diff --git a/ipa-server/xmlrpc-server/ipa.conf b/ipa-server/xmlrpc-server/ipa.conf index b80c5c57..30a7655a 100644 --- a/ipa-server/xmlrpc-server/ipa.conf +++ b/ipa-server/xmlrpc-server/ipa.conf @@ -1,8 +1,8 @@ # LoadModule auth_kerb_module modules/mod_auth_kerb.so -Alias /ipa "/usr/share/ipa/ipaserver/XMLRPC" +# Require kerberos authentication for the entire server - + AuthType Kerberos AuthName "Kerberos Login" KrbMethodNegotiate on @@ -13,6 +13,37 @@ Alias /ipa "/usr/share/ipa/ipaserver/XMLRPC" KrbSaveCredentials on Require valid-user ErrorDocument 401 /errors/unauthorized.html + + +ProxyRequests Off + + + RewriteEngine on + Order deny,allow + Allow from all + + # We create a subrequest to find REMOTE_USER. Don't do this for every + # subrequest too (slow and huge logs result) + RewriteCond %{IS_SUBREQ}% false + RewriteRule .* - [E=RU:%{LA-U:REMOTE_USER}] + RequestHeader set X-Forwarded-User %{RU}e + + # RequestHeader unset Authorization + + +# The URI's with a trailing ! are those that aren't handled by the proxy +ProxyPass /errors/ ! +ProxyPass /ipa ! +ProxyPass / http://localhost:8080/ +ProxyPassReverse /errors ! +ProxyPassReverse /ipa ! +ProxyPassReverse / http://localhost:8080/ + +# Configure the XML-RPC service + +Alias /ipa "/usr/share/ipa/ipaserver/XMLRPC" + + SetHandler mod_python PythonHandler ipaxmlrpc @@ -22,3 +53,4 @@ Alias /ipa "/usr/share/ipa/ipaserver/XMLRPC" # this is pointless to use since it would just reload ipaxmlrpc.py PythonAutoReload Off + -- cgit