freeipa.git/init/systemd/httpd.service, branch master_keytab FreeIPA patches destroy httpd ccache after stopping the service 2015-09-23T11:04:18+00:00 Martin Babinsky mbabinsk@redhat.com 2015-09-16T16:35:21+00:00 93d080d726359db16749104c8bc20d14a5455dc0 This will force recreation of the file-based ccache after IPA restore and prevent a mismatch between cached and restored Kerberos keys. https://fedorahosted.org/freeipa/ticket/5296 Reviewed-By: Martin Basti <mbasti@redhat.com> 
This will force recreation of the file-based ccache after IPA restore and
prevent a mismatch between cached and restored Kerberos keys.

https://fedorahosted.org/freeipa/ticket/5296

Reviewed-By: Martin Basti <mbasti@redhat.com>
Provide Kerberos over HTTP (MS-KKDCP) 2015-06-24T08:43:58+00:00 Christian Heimes cheimes@redhat.com 2015-06-23T15:01:00+00:00 495da412f155603c02907187c21dd4511281df2c Add integration of python-kdcproxy into FreeIPA to support the MS Kerberos KDC proxy protocol (MS-KKDCP), to allow KDC and KPASSWD client requests over HTTP and HTTPS. - freeipa-server now depends on python-kdcproxy >= 0.3. All kdcproxy dependencies are already satisfied. - The service's state is configured in cn=KDC,cn=$FQDN,cn=masters,cn=ipa, cn=etc,$SUFFIX. It's enabled, when ipaConfigString=kdcProxyEnabled is present. - The installers and update create a new Apache config file /etc/ipa/kdcproxy/ipa-kdc-proxy.conf that mounts a WSGI app on /KdcProxy. The app is run inside its own WSGI daemon group with a different uid and gid than the webui. - A ExecStartPre script in httpd.service symlinks the config file to /etc/httpd/conf.d/ iff ipaConfigString=kdcProxyEnabled is present. - The httpd.service also sets KDCPROXY_CONFIG=/etc/ipa/kdcproxy.conf, so that an existing config is not used. SetEnv from Apache config does not work here, because it doesn't set an OS env var. - python-kdcproxy is configured to *not* use DNS SRV lookups. The location of KDC and KPASSWD servers are read from /etc/krb5.conf. - The state of the service can be modified with two ldif files for ipa-ldap-updater. No CLI script is offered yet. https://www.freeipa.org/page/V4/KDC_Proxy https://fedorahosted.org/freeipa/ticket/4801 Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com> 
Add integration of python-kdcproxy into FreeIPA to support the MS
Kerberos KDC proxy protocol (MS-KKDCP), to allow KDC and KPASSWD
client requests over HTTP and HTTPS.

- freeipa-server now depends on python-kdcproxy >= 0.3. All kdcproxy
  dependencies are already satisfied.
- The service's state is configured in cn=KDC,cn=$FQDN,cn=masters,cn=ipa,
  cn=etc,$SUFFIX. It's enabled, when ipaConfigString=kdcProxyEnabled is
  present.
- The installers and update create a new Apache config file
  /etc/ipa/kdcproxy/ipa-kdc-proxy.conf that mounts a WSGI app on
  /KdcProxy. The app is run inside its own WSGI daemon group with
  a different uid and gid than the webui.
- A ExecStartPre script in httpd.service symlinks the config file to
  /etc/httpd/conf.d/ iff ipaConfigString=kdcProxyEnabled is present.
- The httpd.service also sets KDCPROXY_CONFIG=/etc/ipa/kdcproxy.conf,
  so that an existing config is not used. SetEnv from Apache config does
  not work here, because it doesn't set an OS env var.
- python-kdcproxy is configured to *not* use DNS SRV lookups. The
  location of KDC and KPASSWD servers are read from /etc/krb5.conf.
- The state of the service can be modified with two ldif files for
  ipa-ldap-updater. No CLI script is offered yet.

https://www.freeipa.org/page/V4/KDC_Proxy

https://fedorahosted.org/freeipa/ticket/4801

Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
move IPA-related http runtime directories to common subdirectory 2015-05-19T12:59:18+00:00 Martin Babinsky mbabinsk@redhat.com 2015-05-15T13:37:05+00:00 7ff7b1f533cc10c44acf6020b545b253de1ad37b When both 'mod_auth_kerb' and 'mod_auth_gssapi' are installed at the same time, they use common directory for storing Apache ccache file. Uninstallation of 'mod_auth_kerb' removes this directory leading to invalid CCache path for httpd and authentication failure. Using an IPA-specific directory for credential storage during apache runtime avoids this issue. https://fedorahosted.org/freeipa/ticket/4973 Reviewed-By: David Kupka <dkupka@redhat.com> 
When both 'mod_auth_kerb' and 'mod_auth_gssapi' are installed at the same
time, they use common directory for storing Apache ccache file. Uninstallation
of 'mod_auth_kerb' removes this directory leading to invalid CCache path for
httpd and authentication failure.

Using an IPA-specific directory for credential storage during apache runtime
avoids this issue.

https://fedorahosted.org/freeipa/ticket/4973

Reviewed-By: David Kupka <dkupka@redhat.com>
provide dedicated ccache file for httpd 2015-05-12T11:01:45+00:00 Martin Babinsky mbabinsk@redhat.com 2015-04-28T14:24:02+00:00 9a1a409d63e30dcb939b672d352fc4aa7ba690fe httpd service stores Kerberos credentials in kernel keyring which gets destroyed and recreated during service install/upgrade, causing problems when the process is run under SELinux context other than 'unconfined_t'. This patch enables HTTPInstance to set up a dedicated CCache file for Apache to store credentials. https://fedorahosted.org/freeipa/ticket/4973 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
httpd service stores Kerberos credentials in kernel keyring which gets
destroyed and recreated during service install/upgrade, causing problems when
the process is run under SELinux context other than 'unconfined_t'. This patch
enables HTTPInstance to set up a dedicated CCache file for Apache to store
credentials.

https://fedorahosted.org/freeipa/ticket/4973

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>