On Mon, 2011-09-26 at 21:07 -0400, Rob Crittenden wrote:
> Martin Kosek wrote:
> > On Mon, 2011-09-26 at 08:54 -0400, Rob Crittenden wrote:
> >> Simo Sorce wrote:
> >>> On Mon, 2011-09-26 at 11:22 +0200, Martin Kosek wrote:
> >>>> IPA server, client and replica installation and WebUI worked for me.
> >>>
> >>> This patch seems to defeat the purpose as we are still allowing krb auth
> >>> on locations that do not enforce ssl.
> >>>
> >>> NACK.
> >>>
> >>> Simo.
> >>>
> >>
> >> Simo's concern is that if you enable the fake basic auth and go to an
> >> HTTP page you could expose your credentials. Probably worth testing with
> >> something like the LiveHTTPHeaders extension. Go to the webui then grab
> >> the CA or something in /ipa/config and see if it sends the Authorized
> >> header.
> >
> > I checked headers with LiveHTTPHeaders when
> > requesting /ipa/config/ca.crt and saw Authorization header with user:pwd
> > sent only when accessing it via https.
> >
> >>
> >> The only other solution I see is to duplicate the krb block for each of
> >> our three authenticated uris: /ipa/ui, /ipa/xml and /ipa/json.
> >>
> >> rob
> >
> > I guess this can be done, I would rather let someone with stronger
> > apache-fu than me do the change.
> >
> > Martin
> >
> 
> I think this patch should be reverted for now while we work on a better 
> solution (if it hasn't already).
> 
> rob

I reverted the patch in both master and ipa-2-1.

Martin

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to