From 495da412f155603c02907187c21dd4511281df2c Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Tue, 23 Jun 2015 17:01:00 +0200 Subject: Provide Kerberos over HTTP (MS-KKDCP) Add integration of python-kdcproxy into FreeIPA to support the MS Kerberos KDC proxy protocol (MS-KKDCP), to allow KDC and KPASSWD client requests over HTTP and HTTPS. - freeipa-server now depends on python-kdcproxy >= 0.3. All kdcproxy dependencies are already satisfied. - The service's state is configured in cn=KDC,cn=$FQDN,cn=masters,cn=ipa, cn=etc,$SUFFIX. It's enabled, when ipaConfigString=kdcProxyEnabled is present. - The installers and update create a new Apache config file /etc/ipa/kdcproxy/ipa-kdc-proxy.conf that mounts a WSGI app on /KdcProxy. The app is run inside its own WSGI daemon group with a different uid and gid than the webui. - A ExecStartPre script in httpd.service symlinks the config file to /etc/httpd/conf.d/ iff ipaConfigString=kdcProxyEnabled is present. - The httpd.service also sets KDCPROXY_CONFIG=/etc/ipa/kdcproxy.conf, so that an existing config is not used. SetEnv from Apache config does not work here, because it doesn't set an OS env var. - python-kdcproxy is configured to *not* use DNS SRV lookups. The location of KDC and KPASSWD servers are read from /etc/krb5.conf. - The state of the service can be modified with two ldif files for ipa-ldap-updater. No CLI script is offered yet. https://www.freeipa.org/page/V4/KDC_Proxy https://fedorahosted.org/freeipa/ticket/4801 Reviewed-By: Nathaniel McCallum Reviewed-By: Simo Sorce --- install/conf/Makefile.am | 1 + install/conf/ipa-kdc-proxy.conf.template | 30 ++++++++++++++++++++++++++++++ install/conf/ipa.conf | 6 +++--- 3 files changed, 34 insertions(+), 3 deletions(-) create mode 100644 install/conf/ipa-kdc-proxy.conf.template (limited to 'install/conf') diff --git a/install/conf/Makefile.am b/install/conf/Makefile.am index 65e25bc94..5daac776f 100644 --- a/install/conf/Makefile.am +++ b/install/conf/Makefile.am @@ -3,6 +3,7 @@ NULL = appdir = $(IPA_DATA_DIR) app_DATA = \ ipa.conf \ + ipa-kdc-proxy.conf.template \ ipa-pki-proxy.conf \ ipa-rewrite.conf \ $(NULL) diff --git a/install/conf/ipa-kdc-proxy.conf.template b/install/conf/ipa-kdc-proxy.conf.template new file mode 100644 index 000000000..9290cebba --- /dev/null +++ b/install/conf/ipa-kdc-proxy.conf.template @@ -0,0 +1,30 @@ +# Kerberos over HTTP / MS-KKDCP support (Kerberos KDC Proxy) +# +# The symlink from /etc/ipa/kdcproxy/ to /etc/httpd/conf.d/ is maintained +# by the ExecStartPre script /usr/libexec/ipa/ipa-httpd-kdcproxy in +# httpd.service. The service also sets the environment variable +# KDCPROXY_CONFIG to $KDCPROXY_CONFIG. +# +# Disable KDC Proxy on the current host: +# # ipa-ldap-updater /usr/share/ipa/kdcproxy-disable.uldif +# # systemctl restart httpd.service +# +# Enable KDC Proxy on the current host: +# # ipa-ldap-updater /usr/share/ipa/kdcproxy-enable.uldif +# # systemctl restart httpd.service +# + +WSGIDaemonProcess kdcproxy processes=2 threads=15 maximum-requests=5000 \ + user=kdcproxy group=kdcproxy display-name=%{GROUP} +WSGIImportScript /usr/lib/python2.7/site-packages/kdcproxy/__init__.py \ + process-group=kdcproxy application-group=kdcproxy +WSGIScriptAlias /KdcProxy /usr/lib/python2.7/site-packages/kdcproxy/__init__.py +WSGIScriptReloading Off + + + Satisfy Any + Order Deny,Allow + Allow from all + WSGIProcessGroup kdcproxy + WSGIApplicationGroup kdcproxy + diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf index 57de2f1a9..e2b602c85 100644 --- a/install/conf/ipa.conf +++ b/install/conf/ipa.conf @@ -41,9 +41,7 @@ WSGISocketPrefix /run/httpd/wsgi # Configure mod_wsgi handler for /ipa -WSGIDaemonProcess ipa processes=2 threads=1 maximum-requests=500 -WSGIProcessGroup ipa -WSGIApplicationGroup ipa +WSGIDaemonProcess ipa processes=2 threads=1 maximum-requests=500 display-name=%{GROUP} WSGIImportScript /usr/share/ipa/wsgi.py process-group=ipa application-group=ipa WSGIScriptAlias /ipa /usr/share/ipa/wsgi.py WSGIScriptReloading Off @@ -70,6 +68,8 @@ WSGIScriptReloading Off GssapiUseS4U2Proxy on Require valid-user ErrorDocument 401 /ipa/errors/unauthorized.html + WSGIProcessGroup ipa + WSGIApplicationGroup ipa # Turn off Apache authentication for sessions -- cgit