diff options
-rwxr-xr-x | ipsilon/install/server.py | 6 | ||||
-rwxr-xr-x | ipsilon/login/authkrb.py | 66 |
2 files changed, 69 insertions, 3 deletions
diff --git a/ipsilon/install/server.py b/ipsilon/install/server.py index 28e5bdb..4c0aef7 100755 --- a/ipsilon/install/server.py +++ b/ipsilon/install/server.py @@ -79,15 +79,15 @@ def install(plugins, args): logger.info('Installing default config files') ipsilon_conf = os.path.join(CONFDIR, 'ipsilon.conf') idp_conf = os.path.join(CONFDIR, 'idp.conf') - httpd_conf = os.path.join(HTTPDCONFD, 'idp.conf') + args['httpd_conf'] = os.path.join(HTTPDCONFD, 'idp.conf') if os.path.exists(ipsilon_conf): shutil.move(ipsilon_conf, '%s.bakcup.%s' % (ipsilon_conf, now)) if os.path.exists(idp_conf): shutil.move(idp_conf, '%s.backup.%s' % (idp_conf, now)) shutil.copy(os.path.join(TEMPLATES, 'ipsilon.conf'), CONFDIR) shutil.copy(os.path.join(TEMPLATES, 'idp.conf'), CONFDIR) - if not os.path.exists(httpd_conf): - os.symlink(idp_conf, httpd_conf) + if not os.path.exists(args['httpd_conf']): + os.symlink(idp_conf, args['httpd_conf']) # Load the cherrypy config from the newly installed file so # that db paths and all is properly set before configuring # components diff --git a/ipsilon/login/authkrb.py b/ipsilon/login/authkrb.py index 5b9163d..d012ea8 100755 --- a/ipsilon/login/authkrb.py +++ b/ipsilon/login/authkrb.py @@ -18,7 +18,11 @@ # along with this program. If not, see <http://www.gnu.org/licenses/>. from ipsilon.login.common import LoginPageBase, LoginManagerBase +from ipsilon.login.common import FACILITY +from ipsilon.util.plugin import PluginObject +from string import Template import cherrypy +import os class Krb(LoginPageBase): @@ -81,6 +85,26 @@ plugin for actual authentication. """ return self.page +CONF_TEMPLATE = """ + +<Location /idp/login/krb/negotiate> + AuthType Kerberos + AuthName "Kerberos Login" + KrbMethodNegotiate on + KrbMethodK5Passwd off + KrbServiceName HTTP + $realms + $keytab + KrbSaveCredentials off + KrbConstrainedDelegation off + # KrbLocalUserMapping On + Require valid-user + + ErrorDocument 401 /idp/login/krb/unauthorized +</Location> +""" + + class Installer(object): def __init__(self): @@ -90,7 +114,49 @@ class Installer(object): def install_args(self, group): group.add_argument('--krb', choices=['yes', 'no'], default='no', help='Configure Kerberos authentication') + group.add_argument('--krb-realms', + help='Allowed Kerberos Auth Realms') + group.add_argument('--krb-httpd-keytab', + default='/etc/httpd/conf/http.keytab', + help='Kerberos keytab location for HTTPD') def configure(self, opts): if opts['krb'] != 'yes': return + + keytab = ' # Krb5KeyTab - No Keytab provided' + if opts['krb_httpd_keytab'] is None: + if os.path.exists('/etc/httpd/conf/http.keytab'): + keytab = ' Krb5KeyTab /etc/httpd/conf/http.keytab' + else: + if os.path.exists(opts['krb_httpd_keytab']): + keytab = ' Krb5KeyTab %s' % opts['krb_httpd_keytab'] + else: + raise Exception('Keytab not found') + + if opts['krb_realms'] is None: + realms = ' # KrbAuthRealms - Any trusted realm is allowed' + else: + realms = ' KrbAuthRealms %s' % opts['krb_realms'] + + tmpl = Template(CONF_TEMPLATE) + hunk = tmpl.substitute(keytab=keytab, realms=realms) + with open(opts['httpd_conf'], 'a') as httpd_conf: + httpd_conf.write(hunk) + + # Add configuration data to database + po = PluginObject() + po.name = 'krb' + po.wipe_data() + + # Update global config, put 'krb' always first + po.name = 'global' + globalconf = po.get_plugin_config(FACILITY) + if 'order' in globalconf: + order = globalconf['order'].split(',') + else: + order = [] + order.insert(0, 'krb') + globalconf['order'] = ','.join(order) + po.set_config(globalconf) + po.save_plugin_config(FACILITY) |