diff options
| author | Simo Sorce <simo@redhat.com> | 2016-11-29 11:10:22 -0500 |
|---|---|---|
| committer | Jan Cholasta <jcholast@redhat.com> | 2017-02-15 07:13:37 +0100 |
| commit | d2f5fc304f1938d23171ae330fa20b213ceed54e (patch) | |
| tree | b77e05211632aef8e08cb3cd937d8498d9391ed5 /ipaserver/install/httpinstance.py | |
| parent | b6741d81e187fc84177c12ef8ad900d3b5cda6a4 (diff) | |
| download | freeipa-d2f5fc304f1938d23171ae330fa20b213ceed54e.tar.gz freeipa-d2f5fc304f1938d23171ae330fa20b213ceed54e.tar.xz freeipa-d2f5fc304f1938d23171ae330fa20b213ceed54e.zip | |
Configure HTTPD to work via Gss-Proxy
https://fedorahosted.org/freeipa/ticket/4189
https://fedorahosted.org/freeipa/ticket/5959
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Diffstat (limited to 'ipaserver/install/httpinstance.py')
| -rw-r--r-- | ipaserver/install/httpinstance.py | 24 |
1 files changed, 15 insertions, 9 deletions
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index d07b32253..dddf097c0 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -129,10 +129,11 @@ class HTTPInstance(service.Service): api=api, service_prefix=u'HTTP', service_user=HTTPD_USER, - keytab=paths.IPA_KEYTAB) + keytab=paths.HTTP_KEYTAB) self.cert_nickname = cert_nickname self.ca_is_configured = True + self.keytab_user = constants.GSSPROXY_USER subject_base = ipautil.dn_attribute_property('_subject_base') @@ -169,13 +170,15 @@ class HTTPInstance(service.Service): self.step("configuring httpd", self.__configure_http) self.step("setting up httpd keytab", self._request_service_keytab) self.step("retrieving anonymous keytab", self.request_anon_keytab) + self.step("configuring Gssproxy", self.configure_gssproxy) self.step("setting up ssl", self.__setup_ssl) if self.ca_is_configured: self.step("configure certmonger for renewals", self.configure_certmonger_renewal_guard) self.step("importing CA certificates from LDAP", self.__import_ca_certs) self.step("publish CA cert", self.__publish_ca_cert) - self.step("clean up any existing httpd ccache", self.remove_httpd_ccache) + self.step("clean up any existing httpd ccaches", + self.remove_httpd_ccaches) self.step("configuring SELinux for httpd", self.configure_selinux_for_httpd) if not self.is_kdcproxy_configured(): self.step("create KDC proxy user", create_kdcproxy_user) @@ -205,13 +208,13 @@ class HTTPInstance(service.Service): except ipapython.errors.SetseboolError as e: self.print_msg(e.format_service_warning('web interface')) - def remove_httpd_ccache(self): - # Clean up existing ccache + def remove_httpd_ccaches(self): + # Clean up existing ccaches # Make sure that empty env is passed to avoid passing KRB5CCNAME from # current env - ipautil.run( - [paths.KDESTROY, '-A'], runas=self.service_user, raiseonerr=False, - env={}) + installutils.remove_file(paths.HTTP_CCACHE) + for f in os.listdir(paths.IPA_CCACHES): + os.remove(os.path.join(paths.IPA_CCACHES, f)) def __configure_http(self): self.update_httpd_service_ipa_conf() @@ -235,6 +238,10 @@ class HTTPInstance(service.Service): http_fd.close() os.chmod(target_fname, 0o644) + def configure_gssproxy(self): + tasks.configure_http_gssproxy_conf() + services.knownservices.gssproxy.restart() + def change_mod_nss_port_from_http(self): # mod_ssl enforces SSLEngine on for vhost on 443 even though # the listener is mod_nss. This then crashes the httpd as mod_nss @@ -541,8 +548,7 @@ class HTTPInstance(service.Service): root_logger.debug(error) installutils.remove_keytab(self.keytab) - installutils.remove_ccache(ccache_path=paths.KRB5CC_HTTPD, - run_as=self.service_user) + installutils.remove_file(paths.HTTP_CCACHE) # Remove the configuration files we create installutils.remove_file(paths.HTTPD_IPA_REWRITE_CONF) |