freeipa.git/install/conf, branch cakeysfix FreeIPA patches Revert "Store GSSAPI session key in /var/run/ipa" 2017-04-27T13:39:54+00:00 Martin Babinsky mbabinsk@redhat.com 2017-04-27T12:36:01+00:00 50f6883662e258b0335c8b3cb69946d6dcbf206c This reverts commit 2bab2d4963daa99742875f3633a99966bc56f5a3. It was pointed out that apache has no access to /var/lib/ipa directory breaking the session handling. https://pagure.io/freeipa/issue/6880 Reviewed-By: Simo Sorce <ssorce@redhat.com> 
This reverts commit 2bab2d4963daa99742875f3633a99966bc56f5a3. It was
pointed out that apache has no access to /var/lib/ipa directory breaking
the session handling.

https://pagure.io/freeipa/issue/6880

Reviewed-By: Simo Sorce <ssorce@redhat.com>
Store GSSAPI session key in /var/run/ipa 2017-04-27T10:35:46+00:00 Martin Basti mbasti@redhat.com 2017-04-20T08:39:08+00:00 2bab2d4963daa99742875f3633a99966bc56f5a3 Runtime data should be stored in /var/run instead of /etc/httpd/alias. This change is also compatible with selinux policy. https://pagure.io/freeipa/issue/6880 Reviewed-By: Tomas Krizek <tkrizek@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
Runtime data should be stored in /var/run instead of /etc/httpd/alias.
This change is also compatible with selinux policy.

https://pagure.io/freeipa/issue/6880

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Replace hard-coded kdcproxy path with WSGI script 2017-04-12T11:05:23+00:00 Christian Heimes cheimes@redhat.com 2017-03-29T15:58:47+00:00 2cd6788c3f52a9b87f24b9b3e57d66a864397966 mod_wsgi has no way to import a WSGI module by dotted module name. A new kdcproxy.wsgi script is used to import kdcproxy from whatever Python version mod_wsgi is compiled against. This will simplify moving FreeIPA to Python 3 and solves an import problem on Debian. Resolves: https://pagure.io/freeipa/issue/6834 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com> 
mod_wsgi has no way to import a WSGI module by dotted module name. A new
kdcproxy.wsgi script is used to import kdcproxy from whatever Python
version mod_wsgi is compiled against. This will simplify moving FreeIPA
to Python 3 and solves an import problem on Debian.

Resolves: https://pagure.io/freeipa/issue/6834

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
WebUI: cert login: Configure name of parameter used to pass username 2017-04-11T13:29:11+00:00 David Kupka dkupka@redhat.com 2017-04-10T11:11:13+00:00 157831a287c64106eed4da4ace5228d7e369ae2f Directive LookupUserByCertificateParamName tells mod_lookup_identity module the name of GET parameter that is used to provide username in case certificate is mapped to multiple user accounts. Without this directive login with certificate that's mapped to multiple users doesn't work. https://pagure.io/freeipa/issue/6860 Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com> 
Directive LookupUserByCertificateParamName tells mod_lookup_identity module the
name of GET parameter that is used to provide username in case certificate is
mapped to multiple user accounts.
Without this directive login with certificate that's mapped to multiple users
doesn't work.

https://pagure.io/freeipa/issue/6860

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Increase Apache HTTPD's default keep alive timeout 2017-03-20T18:24:28+00:00 Christian Heimes cheimes@redhat.com 2017-03-20T07:47:56+00:00 7f567286f6b89f3e981af02913e833d3e8ed5064 Apache has a default keep alive timeout of 5 seconds. That's too low for interactive commands, e.g. password prompts. 30 seconds sounds like a good compromise. Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Tomas Krizek <tkrizek@redhat.com> 
Apache has a default keep alive timeout of 5 seconds. That's too low for
interactive commands, e.g. password prompts. 30 seconds sounds like a
good compromise.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Support certificate login after installation and upgrade 2017-03-14T14:13:43+00:00 Pavel Vomacka pvomacka@redhat.com 2017-03-09T11:14:21+00:00 75c592d3b9081474cae51c929e6af29c7a0eebb6 Add necessary steps which set SSSD and set SELinux boolean during installation or upgrade. Also create new endpoint in apache for login using certificates. https://pagure.io/freeipa/issue/6225 Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com> 
Add necessary steps which set SSSD and set SELinux boolean during
installation or upgrade. Also create new endpoint in apache for
login using certificates.

https://pagure.io/freeipa/issue/6225

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
Limit sessions to 30 minutes by default 2017-03-01T12:43:40+00:00 Simo Sorce simo@redhat.com 2017-02-27T15:50:03+00:00 d5e7a57e5b25b9cecb7a65096487a65374ad860d When we changed the session handling code we unintentinally extended sessions expiraion time to the whole ticket lifetime of 24h. Related to https://fedorahosted.org/freeipa/ticket/5959 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com> 
When we changed the session handling code we unintentinally extended
sessions expiraion time to the whole ticket lifetime of 24h.

Related to https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Deduplicate session cookies in headers 2017-02-17T08:57:23+00:00 Simo Sorce simo@redhat.com 2017-02-16T18:29:10+00:00 d0642bfa55e9c24429675f623bc0e35824bc9fb0 This removes one of the 2 identical copies of the ipa_session cookie Fixes https://fedorahosted.org/freeipa/ticket/6676 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
This removes one of the 2 identical copies of the ipa_session cookie

Fixes https://fedorahosted.org/freeipa/ticket/6676

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Add a new user to run the framework code 2017-02-15T06:13:37+00:00 Simo Sorce simo@redhat.com 2016-08-16T13:03:19+00:00 4fd89833ee5421b05c10329d627d0e0fc8496046 Add the apache user the ipawebui group. Make the ccaches directory owned by the ipawebui group and make mod_auth_gssapi write the ccache files as r/w by the apache user and the ipawebui group. Fix tmpfiles creation ownership and permissions to allow the user to access ccaches files. The webui framework now works as a separate user than apache, so the certs used to access the dogtag instance need to be usable by this new user as well. Both apache and the webui user are in the ipawebui group, so use that. https://fedorahosted.org/freeipa/ticket/5959 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
Add the apache user the ipawebui group.
Make the ccaches directory owned by the ipawebui group and make
mod_auth_gssapi write the ccache files as r/w by the apache user and
the ipawebui group.
Fix tmpfiles creation ownership and permissions to allow the user to
access ccaches files.
The webui framework now works as a separate user than apache, so the certs
used to access the dogtag instance need to be usable by this new user as well.
Both apache and the webui user are in the ipawebui group, so use that.

https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Configure HTTPD to work via Gss-Proxy 2017-02-15T06:13:37+00:00 Simo Sorce simo@redhat.com 2016-11-29T16:10:22+00:00 d2f5fc304f1938d23171ae330fa20b213ceed54e https://fedorahosted.org/freeipa/ticket/4189 https://fedorahosted.org/freeipa/ticket/5959 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
https://fedorahosted.org/freeipa/ticket/4189
https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>