diff options
| author | Simo Sorce <simo@redhat.com> | 2016-08-19 09:23:55 -0400 |
|---|---|---|
| committer | Simo Sorce <simo@redhat.com> | 2017-02-14 17:36:04 -0500 |
| commit | 8b88ef00331f1fbb28802b3eba5ced62daeffc9e (patch) | |
| tree | 3236bbad94a1ada157e62070960948e9e5a0b08f /install | |
| parent | 8d3bea8accb9814b3a973f4a606110fee78baf72 (diff) | |
| download | freeipa-8b88ef00331f1fbb28802b3eba5ced62daeffc9e.tar.gz freeipa-8b88ef00331f1fbb28802b3eba5ced62daeffc9e.tar.xz freeipa-8b88ef00331f1fbb28802b3eba5ced62daeffc9e.zip | |
Change session handling
Stop using memcache, use mod_auth_gssapi filesystem based ccaches.
Remove custom session handling, use mod_auth_gssapi and mod_session to
establish and keep a session cookie.
Add loopback to mod_auth_gssapi to do form absed auth and pass back a
valid session cookie.
And now that we do not remove ccaches files to move them to the
memcache, we can avoid the risk of pollutting the filesystem by keeping
a common ccache file for all instances of the same user.
https://fedorahosted.org/freeipa/ticket/5959
Signed-off-by: Simo Sorce <simo@redhat.com>
Diffstat (limited to 'install')
| -rw-r--r-- | install/conf/ipa.conf | 22 | ||||
| -rw-r--r-- | install/share/Makefile.am | 4 | ||||
| -rw-r--r-- | install/share/gssapi.login | 0 | ||||
| -rw-r--r-- | install/share/memcache-remove.uldif | 1 |
4 files changed, 13 insertions, 14 deletions
diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf index 3e7435903..6ae416353 100644 --- a/install/conf/ipa.conf +++ b/install/conf/ipa.conf @@ -63,10 +63,15 @@ WSGIScriptReloading Off <Location "/ipa"> AuthType GSSAPI AuthName "Kerberos Login" + GssapiUseSessions On + Session On + SessionCookieName ipa_session path=/ipa;httponly;secure; + SessionHeader IPASESSION + GssapiSessionKey file:/etc/httpd/alias/ipasession.key + GssapiCredStore keytab:/etc/httpd/conf/ipa.keytab GssapiCredStore client_keytab:/etc/httpd/conf/ipa.keytab GssapiDelegCcacheDir /var/run/httpd/ipa/clientcaches - GssapiDelegCcacheUnique On GssapiUseS4U2Proxy on GssapiAllowedMech krb5 Require valid-user @@ -77,19 +82,10 @@ WSGIScriptReloading Off Header always append Content-Security-Policy "frame-ancestors 'none'" </Location> -# Turn off Apache authentication for sessions -<Location "/ipa/session/json"> - Satisfy Any - Order Deny,Allow - Allow from all -</Location> - -<Location "/ipa/session/xml"> - Satisfy Any - Order Deny,Allow - Allow from all -</Location> +# Target for login with internal connections +Alias /ipa/session/cookie "/usr/share/ipa/gssapi.login" +# Turn off Apache authentication for password/token based login pages <Location "/ipa/session/login_password"> Satisfy Any Order Deny,Allow diff --git a/install/share/Makefile.am b/install/share/Makefile.am index 715912d8b..6f35a329e 100644 --- a/install/share/Makefile.am +++ b/install/share/Makefile.am @@ -86,7 +86,9 @@ dist_app_DATA = \ vault.ldif \ kdcproxy-enable.uldif \ kdcproxy-disable.uldif \ - ipa-httpd.conf.template + ipa-httpd.conf.template \ + gssapi.login \ + $(NULL) kdcproxyconfdir = $(IPA_SYSCONF_DIR)/kdcproxy dist_kdcproxyconf_DATA = \ diff --git a/install/share/gssapi.login b/install/share/gssapi.login new file mode 100644 index 000000000..e69de29bb --- /dev/null +++ b/install/share/gssapi.login diff --git a/install/share/memcache-remove.uldif b/install/share/memcache-remove.uldif new file mode 100644 index 000000000..e6ca1a617 --- /dev/null +++ b/install/share/memcache-remove.uldif @@ -0,0 +1 @@ +deleteentry: cn=MEMCACHE,cn=$FQDN,cn=masters,cn=ipa,cn=etc,$SUFFIX |