On Mon, 2011-09-26 at 08:54 -0400, Rob Crittenden wrote: > Simo Sorce wrote: > > On Mon, 2011-09-26 at 11:22 +0200, Martin Kosek wrote: > >> IPA server, client and replica installation and WebUI worked for me. > > > > This patch seems to defeat the purpose as we are still allowing krb auth > > on locations that do not enforce ssl. > > > > NACK. > > > > Simo. > > > > Simo's concern is that if you enable the fake basic auth and go to an > HTTP page you could expose your credentials. Probably worth testing with > something like the LiveHTTPHeaders extension. Go to the webui then grab > the CA or something in /ipa/config and see if it sends the Authorized > header.
I checked headers with LiveHTTPHeaders when requesting /ipa/config/ca.crt and saw Authorization header with user:pwd sent only when accessing it via https. > > The only other solution I see is to duplicate the krb block for each of > our three authenticated uris: /ipa/ui, /ipa/xml and /ipa/json. > > rob I guess this can be done, I would rather let someone with stronger apache-fu than me do the change. Martin _______________________________________________ Freeipa-devel mailing list Freeipafirstname.lastname@example.org https://www.redhat.com/mailman/listinfo/freeipa-devel