diff options
author | Martin Babinsky <mbabinsk@redhat.com> | 2015-05-15 15:37:05 +0200 |
---|---|---|
committer | Jan Cholasta <jcholast@redhat.com> | 2015-05-19 12:59:18 +0000 |
commit | 7ff7b1f533cc10c44acf6020b545b253de1ad37b (patch) | |
tree | e0dbc79f162350c4652bd6a247c1c302820e37cc | |
parent | 0167919ba88ef718e7b678380ebfe3ddb4566831 (diff) | |
download | freeipa-7ff7b1f533cc10c44acf6020b545b253de1ad37b.tar.gz freeipa-7ff7b1f533cc10c44acf6020b545b253de1ad37b.tar.xz freeipa-7ff7b1f533cc10c44acf6020b545b253de1ad37b.zip |
move IPA-related http runtime directories to common subdirectory
When both 'mod_auth_kerb' and 'mod_auth_gssapi' are installed at the same
time, they use common directory for storing Apache ccache file. Uninstallation
of 'mod_auth_kerb' removes this directory leading to invalid CCache path for
httpd and authentication failure.
Using an IPA-specific directory for credential storage during apache runtime
avoids this issue.
https://fedorahosted.org/freeipa/ticket/4973
Reviewed-By: David Kupka <dkupka@redhat.com>
-rw-r--r-- | freeipa.spec.in | 8 | ||||
-rw-r--r-- | init/systemd/httpd.service | 2 | ||||
-rw-r--r-- | init/systemd/ipa.conf.tmpfiles | 4 | ||||
-rw-r--r-- | install/conf/ipa.conf | 4 |
4 files changed, 12 insertions, 6 deletions
diff --git a/freeipa.spec.in b/freeipa.spec.in index 737364556..b14acee63 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -465,7 +465,9 @@ install -m 0644 init/systemd/ipa.conf.tmpfiles %{buildroot}%{_tmpfilesdir}/%{nam mkdir -p %{buildroot}%{_localstatedir}/run/ install -d -m 0700 %{buildroot}%{_localstatedir}/run/ipa_memcached/ install -d -m 0700 %{buildroot}%{_localstatedir}/run/ipa/ -install -d -m 0700 %{buildroot}%{_localstatedir}/run/httpd/clientcaches +install -d -m 0700 %{buildroot}%{_localstatedir}/run/httpd/ipa +install -d -m 0700 %{buildroot}%{_localstatedir}/run/httpd/ipa/clientcaches +install -d -m 0700 %{buildroot}%{_localstatedir}/run/httpd/ipa/krbcache mkdir -p %{buildroot}%{_libdir}/krb5/plugins/libkrb5 touch %{buildroot}%{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so @@ -685,7 +687,9 @@ fi %config(noreplace) %{_sysconfdir}/sysconfig/ipa-ods-exporter %dir %attr(0700,apache,apache) %{_localstatedir}/run/ipa_memcached/ %dir %attr(0700,root,root) %{_localstatedir}/run/ipa/ -%dir %attr(0700,apache,apache) %{_localstatedir}/run/httpd/clientcaches/ +%dir %attr(0700,apache,apache) %{_localstatedir}/run/httpd/ipa/ +%dir %attr(0700,apache,apache) %{_localstatedir}/run/httpd/ipa/clientcaches/ +%dir %attr(0700,apache,apache) %{_localstatedir}/run/httpd/ipa/krbcache/ # NOTE: systemd specific section %{_tmpfilesdir}/%{name}.conf %attr(644,root,root) %{_unitdir}/ipa.service diff --git a/init/systemd/httpd.service b/init/systemd/httpd.service index ef1e6bfda..231f86f44 100644 --- a/init/systemd/httpd.service +++ b/init/systemd/httpd.service @@ -1,4 +1,4 @@ .include /usr/lib/systemd/system/httpd.service [Service] -Environment=KRB5CCNAME=/var/run/httpd/krbcache/krb5ccache +Environment=KRB5CCNAME=/var/run/httpd/ipa/krbcache/krb5ccache diff --git a/init/systemd/ipa.conf.tmpfiles b/init/systemd/ipa.conf.tmpfiles index b4503cc67..6eab2621c 100644 --- a/init/systemd/ipa.conf.tmpfiles +++ b/init/systemd/ipa.conf.tmpfiles @@ -1,3 +1,5 @@ d /var/run/ipa_memcached 0700 apache apache d /var/run/ipa 0700 root root -d /var/run/httpd/clientcaches 0700 apache apache +d /var/run/httpd/ipa 0700 apache apache +d /var/run/httpd/ipa/clientcaches 0700 apache apache +d /var/run/httpd/ipa/krbcache 0700 apache apache diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf index 92637c04d..57de2f1a9 100644 --- a/install/conf/ipa.conf +++ b/install/conf/ipa.conf @@ -1,5 +1,5 @@ # -# VERSION 17 - DO NOT REMOVE THIS LINE +# VERSION 18 - DO NOT REMOVE THIS LINE # # This file may be overwritten on upgrades. # @@ -66,7 +66,7 @@ WSGIScriptReloading Off AuthName "Kerberos Login" GssapiCredStore keytab:/etc/httpd/conf/ipa.keytab GssapiCredStore client_keytab:/etc/httpd/conf/ipa.keytab - GssapiDelegCcacheDir /var/run/httpd/clientcaches + GssapiDelegCcacheDir /var/run/httpd/ipa/clientcaches GssapiUseS4U2Proxy on Require valid-user ErrorDocument 401 /ipa/errors/unauthorized.html |