So I've been working on migrating freeIPA from mod_python to mod_wsgi. This isn't a big change as the IPA server is already all WSGI internally, but I've run into 2 unexpected problems.
mod_wsgi daemon mode ==================== First, the easy problem. The mod_wsgi documentation clearly states that the daemon mode is the preferred way to deploy. See the "Defining Process Groups" section in: http://code.google.com/p/modwsgi/wiki/ConfigurationGuidelines In daemon mode, Apache starts mod_wsgi in a separate process and communicates with it via a Unix socket. Unfortunately, Fedora12 doesn't support daemon mode nicely out of the box and tries create the socket in /etc/httpd/run, which of course make selinux mad (as it should). I believe Apache is being run with the Apache home set to /etc/httpd (which itself seems weird to me, not sure if this is a bug). Anyway, we can fix this with the WSGISocketPrefix directive. But this directive is server-scope (can't be virtual-host-scope), so we really need to fix this in the mod_wsgi package. We just need to add this to /etc/httpd/conf.d/wsgi.conf: WSGISocketPrefix /var/run/httpd/wsgi This config file is owned by mod_wsgi, not IPA, so I don't think IPA should be writing stuff to this during it's install. Again, needs to be fixed in the mod_wsgi package. I haven't tried this under Fedora11 yet, so I don't know if the same problem is present there. Simplify Kerberos protected URLs ================================ Currently in our URL space we have: /ipa/xml - Kerberos protected /ipa/json - Kerberos protected /ipa/ui - Kerberos protected /ipa/errors - Not protected /ipa/config - Not protected /ipa/crl - Not protected Under mod_python, we have separate handlers for the xml, json, and ui URLs. My upcoming patch has a new WSGI middleware component this is a single entry point at /ipa. I did this so that the LDAP auth and session stuff is handled in exactly the same way regardless of which app is the final target. Anyway, right now we have to handle stuff in a pretty funky way (including under mod_python). We turn on Kerb auth for /ipa, then turn it off for /ipa/errors and friends. I would really like us to have two base URLs, something like this: /ipa/* - Kerberos projected /ipa-static/* - Not projected Doesn't have to be called ipa-static, just throwing a name out there. We can work around this (as we already do), but there 2 reasons I think we should do this: 1. Security - our current approach is confusing and opens us up to mistakes (our mistakes or a sysadmin's). 2. Extensibility - in the V2 cycle we have added several new things in /ipa/*, some Kerberos protected, some not. I'm sure this will happen again in the future, so we might as well clean this up now. What do people think? I'm not sure I explained this well, but look in install/conf/ipa.conf and you'll see what I mean. _______________________________________________ Freeipa-devel mailing list Freeipaemail@example.com https://www.redhat.com/mailman/listinfo/freeipa-devel