summaryrefslogtreecommitdiffstats
path: root/install/tools/ipa-httpd-kdcproxy
Commit message (Collapse)AuthorAgeFilesLines
* Handle timeout error in ipa-httpd-kdcproxyChristian Heimes2015-09-101-1/+2
| | | | | | | | | The ipa-httpd-kdcproxy script now handles LDAP timeout errors correctly. A timeout does no longer result into an Apache startup error. https://fedorahosted.org/freeipa/ticket/5292 Reviewed-By: Martin Basti <mbasti@redhat.com>
* Improve error handling in ipa-httpd-kdcproxyChristian Heimes2015-07-071-20/+55
| | | | | | | | | | | | | The pre start script 'ipa-httpd-kdcproxy' for httpd.service now handles connection and authentication errors more gracefully. If the script is not able to conenct to LDAP, it only prints a warning and exits with status code 0. All other errors are still reported as fatal error and result in a non-zero exit code. This fixes a problem with offline RPM updates. A restart of Apache no longer fails when LDAP is not running. Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Provide Kerberos over HTTP (MS-KKDCP)Christian Heimes2015-06-241-0/+180
Add integration of python-kdcproxy into FreeIPA to support the MS Kerberos KDC proxy protocol (MS-KKDCP), to allow KDC and KPASSWD client requests over HTTP and HTTPS. - freeipa-server now depends on python-kdcproxy >= 0.3. All kdcproxy dependencies are already satisfied. - The service's state is configured in cn=KDC,cn=$FQDN,cn=masters,cn=ipa, cn=etc,$SUFFIX. It's enabled, when ipaConfigString=kdcProxyEnabled is present. - The installers and update create a new Apache config file /etc/ipa/kdcproxy/ipa-kdc-proxy.conf that mounts a WSGI app on /KdcProxy. The app is run inside its own WSGI daemon group with a different uid and gid than the webui. - A ExecStartPre script in httpd.service symlinks the config file to /etc/httpd/conf.d/ iff ipaConfigString=kdcProxyEnabled is present. - The httpd.service also sets KDCPROXY_CONFIG=/etc/ipa/kdcproxy.conf, so that an existing config is not used. SetEnv from Apache config does not work here, because it doesn't set an OS env var. - python-kdcproxy is configured to *not* use DNS SRV lookups. The location of KDC and KPASSWD servers are read from /etc/krb5.conf. - The state of the service can be modified with two ldif files for ipa-ldap-updater. No CLI script is offered yet. https://www.freeipa.org/page/V4/KDC_Proxy https://fedorahosted.org/freeipa/ticket/4801 Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
generated by cgit (git 2.34.1) at 2025-09-02 20:24:37 +0000