Martin Kosek wrote:
On Mon, 2011-09-26 at 08:54 -0400, Rob Crittenden wrote:
Simo Sorce wrote:
On Mon, 2011-09-26 at 11:22 +0200, Martin Kosek wrote:
IPA server, client and replica installation and WebUI worked for me.
This patch seems to defeat the purpose as we are still allowing krb auth
on locations that do not enforce ssl.
NACK.
Simo.
Simo's concern is that if you enable the fake basic auth and go to an
HTTP page you could expose your credentials. Probably worth testing with
something like the LiveHTTPHeaders extension. Go to the webui then grab
the CA or something in /ipa/config and see if it sends the Authorized
header.
I checked headers with LiveHTTPHeaders when
requesting /ipa/config/ca.crt and saw Authorization header with user:pwd
sent only when accessing it via https.
The only other solution I see is to duplicate the krb block for each of
our three authenticated uris: /ipa/ui, /ipa/xml and /ipa/json.
rob
I guess this can be done, I would rather let someone with stronger
apache-fu than me do the change.
Martin
I think this patch should be reverted for now while we work on a better
solution (if it hasn't already).
rob
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
