diff options
author | Pavel Vomacka <pvomacka@redhat.com> | 2017-03-09 12:14:21 +0100 |
---|---|---|
committer | David Kupka <dkupka@redhat.com> | 2017-03-14 15:13:43 +0100 |
commit | 75c592d3b9081474cae51c929e6af29c7a0eebb6 (patch) | |
tree | 08a829055afb0d7d4c3ee4048ae4826f590aac9b /install | |
parent | 8980f4098ebf6b62556e24f090718802d1e495d3 (diff) | |
download | freeipa-75c592d3b9081474cae51c929e6af29c7a0eebb6.tar.gz freeipa-75c592d3b9081474cae51c929e6af29c7a0eebb6.tar.xz freeipa-75c592d3b9081474cae51c929e6af29c7a0eebb6.zip |
Support certificate login after installation and upgrade
Add necessary steps which set SSSD and set SELinux boolean during
installation or upgrade. Also create new endpoint in apache for
login using certificates.
https://pagure.io/freeipa/issue/6225
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
Diffstat (limited to 'install')
-rw-r--r-- | install/conf/ipa.conf | 33 | ||||
-rw-r--r-- | install/share/gssproxy.conf.template | 1 |
2 files changed, 32 insertions, 2 deletions
diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf index 419d4e347..164231c72 100644 --- a/install/conf/ipa.conf +++ b/install/conf/ipa.conf @@ -1,11 +1,16 @@ # -# VERSION 23 - DO NOT REMOVE THIS LINE +# VERSION 24 - DO NOT REMOVE THIS LINE # # This file may be overwritten on upgrades. # -ProxyRequests Off +# Load lookup_identity module in case it has not been loaded yet +# The module is used to search users according the certificate. +<IfModule !lookup_identity_module> + LoadModule lookup_identity_module modules/mod_lookup_identity.so +</IfModule> +ProxyRequests Off #We use xhtml, a file format that the browser validates DirectoryIndex index.html @@ -70,6 +75,7 @@ WSGIScriptReloading Off SessionMaxAge 1800 GssapiSessionKey file:/etc/httpd/alias/ipasession.key + GssapiImpersonate On GssapiDelegCcacheDir /var/run/ipa/ccaches GssapiDelegCcachePerms mode:0660 gid:ipaapi GssapiUseS4U2Proxy on @@ -97,6 +103,29 @@ Alias /ipa/session/cookie "/usr/share/ipa/gssapi.login" Allow from all </Location> +# Login with user certificate/smartcard configuration +# This configuration needs to be loaded after <Location "/ipa"> +<Location "/ipa/session/login_x509"> + AuthType none + GssapiDelegCcacheDir /var/run/ipa/ccaches + GssapiDelegCcachePerms mode:0660 gid:ipaapi + NSSVerifyClient require + NSSUserName SSL_CLIENT_CERT + LookupUserByCertificate On + WSGIProcessGroup ipa + WSGIApplicationGroup ipa + GssapiImpersonate On + + GssapiUseSessions On + Session On + SessionCookieName ipa_session path=/ipa;httponly;secure; + SessionHeader IPASESSION + SessionMaxAge 1800 + GssapiSessionKey file:/etc/httpd/alias/ipasession.key + + Header unset Set-Cookie +</Location> + <Location "/ipa/session/change_password"> Satisfy Any Order Deny,Allow diff --git a/install/share/gssproxy.conf.template b/install/share/gssproxy.conf.template index fbb158a68..d7031448a 100644 --- a/install/share/gssproxy.conf.template +++ b/install/share/gssproxy.conf.template @@ -4,6 +4,7 @@ cred_store = keytab:$HTTP_KEYTAB cred_store = client_keytab:$HTTP_KEYTAB allow_protocol_transition = true + allow_constrained_delegation = true cred_usage = both euid = $HTTPD_USER |