summaryrefslogtreecommitdiffstats
path: root/init/systemd/httpd.service
Commit message (Collapse)AuthorAgeFilesLines
* destroy httpd ccache after stopping the serviceMartin Babinsky2015-09-231-0/+1
| | | | | | | | | This will force recreation of the file-based ccache after IPA restore and prevent a mismatch between cached and restored Kerberos keys. https://fedorahosted.org/freeipa/ticket/5296 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Provide Kerberos over HTTP (MS-KKDCP)Christian Heimes2015-06-241-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add integration of python-kdcproxy into FreeIPA to support the MS Kerberos KDC proxy protocol (MS-KKDCP), to allow KDC and KPASSWD client requests over HTTP and HTTPS. - freeipa-server now depends on python-kdcproxy >= 0.3. All kdcproxy dependencies are already satisfied. - The service's state is configured in cn=KDC,cn=$FQDN,cn=masters,cn=ipa, cn=etc,$SUFFIX. It's enabled, when ipaConfigString=kdcProxyEnabled is present. - The installers and update create a new Apache config file /etc/ipa/kdcproxy/ipa-kdc-proxy.conf that mounts a WSGI app on /KdcProxy. The app is run inside its own WSGI daemon group with a different uid and gid than the webui. - A ExecStartPre script in httpd.service symlinks the config file to /etc/httpd/conf.d/ iff ipaConfigString=kdcProxyEnabled is present. - The httpd.service also sets KDCPROXY_CONFIG=/etc/ipa/kdcproxy.conf, so that an existing config is not used. SetEnv from Apache config does not work here, because it doesn't set an OS env var. - python-kdcproxy is configured to *not* use DNS SRV lookups. The location of KDC and KPASSWD servers are read from /etc/krb5.conf. - The state of the service can be modified with two ldif files for ipa-ldap-updater. No CLI script is offered yet. https://www.freeipa.org/page/V4/KDC_Proxy https://fedorahosted.org/freeipa/ticket/4801 Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
* move IPA-related http runtime directories to common subdirectoryMartin Babinsky2015-05-191-1/+1
| | | | | | | | | | | | | | When both 'mod_auth_kerb' and 'mod_auth_gssapi' are installed at the same time, they use common directory for storing Apache ccache file. Uninstallation of 'mod_auth_kerb' removes this directory leading to invalid CCache path for httpd and authentication failure. Using an IPA-specific directory for credential storage during apache runtime avoids this issue. https://fedorahosted.org/freeipa/ticket/4973 Reviewed-By: David Kupka <dkupka@redhat.com>
* provide dedicated ccache file for httpdMartin Babinsky2015-05-121-0/+4
httpd service stores Kerberos credentials in kernel keyring which gets destroyed and recreated during service install/upgrade, causing problems when the process is run under SELinux context other than 'unconfined_t'. This patch enables HTTPInstance to set up a dedicated CCache file for Apache to store credentials. https://fedorahosted.org/freeipa/ticket/4973 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
generated by cgit (git 2.34.1) at 2026-04-04 00:37:34 +0000