On Mon, 2011-09-26 at 08:31 +0200, Martin Kosek wrote: > On Sun, 2011-09-25 at 23:05 -0400, Rob Crittenden wrote: > > Martin Kosek wrote: > > > On Fri, 2011-09-23 at 14:12 -0400, Rob Crittenden wrote: > > >> Always require SSL in the Kerberos authorization block. > > >> > > >> This also corrects a slight bug where if add is True then we always > > >> re-update the file. > > >> > > >> rob > > > > > > ACK. Pushed to master, ipa-2-1. > > > > > > Martin > > > > > > > Sorry guys, this breaks things pretty badly. We need to be able to allow > > some non-SSL access to parts of /ipa to fetch configuration and return > > errors, etc. for those clients that don't trust our CA yet. > > > > Here is a working change, not fully tested yet: > > > > diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf > > index 2339387..09b4b7a 100644 > > --- a/install/conf/ipa.conf > > +++ b/install/conf/ipa.conf > > @@ -42,10 +42,17 @@ WSGIScriptReloading Off > > SetHandler None > > </Location> > > > > +# Ensure SSL is enabled in our APIs > > +<Location "/ipa/xml"> > > + NSSRequireSSL > > +</Location> > > +<Location "/ipa/json"> > > + NSSRequireSSL > > +</Location> > > + > > > > # Protect /ipa with Kerberos > > <Location "/ipa"> > > - NSSRequireSSL > > AuthType Kerberos > > AuthName "Kerberos Login" > > KrbMethodNegotiate on > > @@ -114,6 +121,7 @@ Alias /ipa/ui "/usr/share/ipa/ui" > > # migration related pages > > Alias /ipa/migration "/usr/share/ipa/migration" > > <Directory "/usr/share/ipa/migration"> > > + NSSRequireSSL > > AllowOverride None > > Satisfy Any > > Allow from all > > > > Ouch, we can fix it right when you log in. The change looks good, we > will just have to update the conf version in case somebody already > installed this IPA version. > > I was also thinking if /crl shouldn't be secured too but from what I > seen in world's common CAs, these are not secured either. > > Martin >
Since Rob may not be here today, and since I think this should be fixed fast, I am sending the patch based on Rob's mail. I just bumped config file version so that it is updated for configured IPA instances. IPA server, client and replica installation and WebUI worked for me. Martin
>From 4dc109441e853925ee92b4f297f9d5e117afb18a Mon Sep 17 00:00:00 2001 From: Martin Kosek <mko...@redhat.com> Date: Mon, 26 Sep 2011 11:11:28 +0200 Subject: [PATCH] NSSRequireSSL should not be required for entire /ipa Requiring SSL for entire /ipa location breaks installation. https://fedorahosted.org/freeipa/ticket/1755 --- install/conf/ipa.conf | 11 +++++++++-- 1 files changed, 9 insertions(+), 2 deletions(-) diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf index 2339387a726f326e941f15723ca499d751014a99..7ff64e82986f336bd30c0844fa36ceeab7fb526c 100644 --- a/install/conf/ipa.conf +++ b/install/conf/ipa.conf @@ -1,5 +1,5 @@ # -# VERSION 3 - DO NOT REMOVE THIS LINE +# VERSION 4 - DO NOT REMOVE THIS LINE # # LoadModule auth_kerb_module modules/mod_auth_kerb.so @@ -42,10 +42,16 @@ WSGIScriptReloading Off SetHandler None </Location> +# Ensure SSL is enabled in our APIs +<Location "/ipa/xml"> + NSSRequireSSL +</Location> +<Location "/ipa/json"> + NSSRequireSSL +</Location> # Protect /ipa with Kerberos <Location "/ipa"> - NSSRequireSSL AuthType Kerberos AuthName "Kerberos Login" KrbMethodNegotiate on @@ -114,6 +120,7 @@ Alias /ipa/ui "/usr/share/ipa/ui" # migration related pages Alias /ipa/migration "/usr/share/ipa/migration" <Directory "/usr/share/ipa/migration"> + NSSRequireSSL AllowOverride None Satisfy Any Allow from all -- 1.7.6.2
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
