Change session handling

Stop using memcache, use mod_auth_gssapi filesystem based ccaches.
Remove custom session handling, use mod_auth_gssapi and mod_session to
establish and keep a session cookie.
Add loopback to mod_auth_gssapi to do form absed auth and pass back a
valid session cookie.
And now that we do not remove ccaches files to move them to the
memcache, we can avoid the risk of pollutting the filesystem by keeping
a common ccache file for all instances of the same user.

https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>

1 files changed, 9 insertions, 13 deletions

diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf
index 3e7435903..6ae416353 100644
--- a/install/conf/ipa.conf
+++ b/install/conf/ipa.conf
@@ -63,10 +63,15 @@ WSGIScriptReloading Off
 <Location "/ipa">
   AuthType GSSAPI
   AuthName "Kerberos Login"
+  GssapiUseSessions On
+  Session On
+  SessionCookieName ipa_session path=/ipa;httponly;secure;
+  SessionHeader IPASESSION
+  GssapiSessionKey file:/etc/httpd/alias/ipasession.key
+
   GssapiCredStore keytab:/etc/httpd/conf/ipa.keytab
   GssapiCredStore client_keytab:/etc/httpd/conf/ipa.keytab
   GssapiDelegCcacheDir /var/run/httpd/ipa/clientcaches
-  GssapiDelegCcacheUnique On
   GssapiUseS4U2Proxy on
   GssapiAllowedMech krb5
   Require valid-user
@@ -77,19 +82,10 @@ WSGIScriptReloading Off
   Header always append Content-Security-Policy "frame-ancestors 'none'"
 </Location>
 
-# Turn off Apache authentication for sessions
-<Location "/ipa/session/json">
-  Satisfy Any
-  Order Deny,Allow
-  Allow from all
-</Location>
-
-<Location "/ipa/session/xml">
-  Satisfy Any
-  Order Deny,Allow
-  Allow from all
-</Location>
+# Target for login with internal connections
+Alias /ipa/session/cookie "/usr/share/ipa/gssapi.login"
 
+# Turn off Apache authentication for password/token based login pages
 <Location "/ipa/session/login_password">
   Satisfy Any
   Order Deny,Allow