From 8b88ef00331f1fbb28802b3eba5ced62daeffc9e Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Fri, 19 Aug 2016 09:23:55 -0400
Subject: Change session handling

Stop using memcache, use mod_auth_gssapi filesystem based ccaches.
Remove custom session handling, use mod_auth_gssapi and mod_session to
establish and keep a session cookie.
Add loopback to mod_auth_gssapi to do form absed auth and pass back a
valid session cookie.
And now that we do not remove ccaches files to move them to the
memcache, we can avoid the risk of pollutting the filesystem by keeping
a common ccache file for all instances of the same user.

https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
---
 install/conf/ipa.conf               | 22 +++++++++-------------
 install/share/Makefile.am           |  4 +++-
 install/share/gssapi.login          |  0
 install/share/memcache-remove.uldif |  1 +
 4 files changed, 13 insertions(+), 14 deletions(-)
 create mode 100644 install/share/gssapi.login
 create mode 100644 install/share/memcache-remove.uldif

(limited to 'install')

diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf
index 3e7435903..6ae416353 100644
--- a/install/conf/ipa.conf
+++ b/install/conf/ipa.conf
@@ -63,10 +63,15 @@ WSGIScriptReloading Off
 <Location "/ipa">
   AuthType GSSAPI
   AuthName "Kerberos Login"
+  GssapiUseSessions On
+  Session On
+  SessionCookieName ipa_session path=/ipa;httponly;secure;
+  SessionHeader IPASESSION
+  GssapiSessionKey file:/etc/httpd/alias/ipasession.key
+
   GssapiCredStore keytab:/etc/httpd/conf/ipa.keytab
   GssapiCredStore client_keytab:/etc/httpd/conf/ipa.keytab
   GssapiDelegCcacheDir /var/run/httpd/ipa/clientcaches
-  GssapiDelegCcacheUnique On
   GssapiUseS4U2Proxy on
   GssapiAllowedMech krb5
   Require valid-user
@@ -77,19 +82,10 @@ WSGIScriptReloading Off
   Header always append Content-Security-Policy "frame-ancestors 'none'"
 </Location>
 
-# Turn off Apache authentication for sessions
-<Location "/ipa/session/json">
-  Satisfy Any
-  Order Deny,Allow
-  Allow from all
-</Location>
-
-<Location "/ipa/session/xml">
-  Satisfy Any
-  Order Deny,Allow
-  Allow from all
-</Location>
+# Target for login with internal connections
+Alias /ipa/session/cookie "/usr/share/ipa/gssapi.login"
 
+# Turn off Apache authentication for password/token based login pages
 <Location "/ipa/session/login_password">
   Satisfy Any
   Order Deny,Allow
diff --git a/install/share/Makefile.am b/install/share/Makefile.am
index 715912d8b..6f35a329e 100644
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -86,7 +86,9 @@ dist_app_DATA =				\
 	vault.ldif			\
 	kdcproxy-enable.uldif		\
 	kdcproxy-disable.uldif		\
-	ipa-httpd.conf.template
+	ipa-httpd.conf.template		\
+	gssapi.login			\
+	$(NULL)
 
 kdcproxyconfdir = $(IPA_SYSCONF_DIR)/kdcproxy
 dist_kdcproxyconf_DATA =			\
diff --git a/install/share/gssapi.login b/install/share/gssapi.login
new file mode 100644
index 000000000..e69de29bb
diff --git a/install/share/memcache-remove.uldif b/install/share/memcache-remove.uldif
new file mode 100644
index 000000000..e6ca1a617
--- /dev/null
+++ b/install/share/memcache-remove.uldif
@@ -0,0 +1 @@
+deleteentry: cn=MEMCACHE,cn=$FQDN,cn=masters,cn=ipa,cn=etc,$SUFFIX
-- 
cgit