https://fedorahosted.org/freeipa/ticket/4190
To test this on F22 my patch 42 is needed. -- David Kupka
From 135faa61e0252cc35cca75aa9814610db0883aa4 Mon Sep 17 00:00:00 2001 From: David Kupka <[email protected]> Date: Wed, 25 Mar 2015 05:22:03 -0400 Subject: [PATCH] Use mod_auth_gssapi instead of mod_auth_kerb. https://fedorahosted.org/freeipa/ticket/4190 --- freeipa.spec.in | 2 +- init/systemd/ipa.conf.tmpfiles | 1 + install/conf/ipa.conf | 28 ++++++++++------------------ ipalib/session.py | 20 ++++++++++---------- ipaserver/rpcserver.py | 2 +- 5 files changed, 23 insertions(+), 30 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index 7a1ff8b50ef1b462ad14fb2328149c3c2ed2fb38..b9f38f729d8fcec57d73e26352068d50a9d2cecc 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -118,7 +118,7 @@ Requires: cyrus-sasl-gssapi%{?_isa} Requires: ntp Requires: httpd >= 2.4.6-6 Requires: mod_wsgi -Requires: mod_auth_kerb >= 5.4-16 +Requires: mod_auth_gssapi Requires: mod_nss >= 1.0.8-26 Requires: python-ldap >= 2.4.15 Requires: python-krbV diff --git a/init/systemd/ipa.conf.tmpfiles b/init/systemd/ipa.conf.tmpfiles index 1e7a896ed8df00c97f2d092504e2a65960bb341d..b4503cc673f3407421cd194091f5373ba204a483 100644 --- a/init/systemd/ipa.conf.tmpfiles +++ b/init/systemd/ipa.conf.tmpfiles @@ -1,2 +1,3 @@ d /var/run/ipa_memcached 0700 apache apache d /var/run/ipa 0700 root root +d /var/run/httpd/clientcaches 0700 apache apache diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf index 7eede73efc559967925d2bbfeee54e1e2efd3e21..1f113756b78446c4d34ca8ea37cacd73deaaf57d 100644 --- a/install/conf/ipa.conf +++ b/install/conf/ipa.conf @@ -3,7 +3,6 @@ # # This file may be overwritten on upgrades. # -# LoadModule auth_kerb_module modules/mod_auth_kerb.so ProxyRequests Off @@ -61,19 +60,14 @@ WSGIScriptReloading Off SetHandler None </Location> -KrbConstrainedDelegationLock ipa - # Protect /ipa and everything below it in webspace with Apache Kerberos auth <Location "/ipa"> - AuthType Kerberos + AuthType GSSAPI AuthName "Kerberos Login" - KrbMethodNegotiate on - KrbMethodK5Passwd off - KrbServiceName HTTP - KrbAuthRealms $REALM - Krb5KeyTab /etc/httpd/conf/ipa.keytab - KrbSaveCredentials on - KrbConstrainedDelegation on + GssapiCredStore keytab:/etc/httpd/conf/ipa.keytab + GssapiCredStore client_keytab:/etc/httpd/conf/ipa.keytab + GssapiDelegCcacheDir /var/run/httpd/clientcaches + GssapiUseS4U2Proxy on Require valid-user ErrorDocument 401 /ipa/errors/unauthorized.html </Location> @@ -176,14 +170,12 @@ Alias /ipa/wsgi "/usr/share/ipa/wsgi" # Protect our CGIs <Directory /var/www/cgi-bin> - AuthType Kerberos + AuthType GSSAPI AuthName "Kerberos Login" - KrbMethodNegotiate on - KrbMethodK5Passwd off - KrbServiceName HTTP - KrbAuthRealms $REALM - Krb5KeyTab /etc/httpd/conf/ipa.keytab - KrbSaveCredentials on + GssapiCredStore keytab:/etc/httpd/conf/ipa.keytab + GssapiCredStore client_keytab:/etc/httpd/conf/ipa.keytab + GssapiDelegCcacheDir /var/run/httpd/clientcaches + GssapiUseS4U2Proxy on Require valid-user ErrorDocument 401 /ipa/errors/unauthorized.html </Directory> diff --git a/ipalib/session.py b/ipalib/session.py index ae40fdfe189b3bfd5f0437c04efaab73ac31f88a..2f732b333375c837b931c6b16ccfc535e11d7e4c 100644 --- a/ipalib/session.py +++ b/ipalib/session.py @@ -484,7 +484,7 @@ improve authentication performance. First some definitions. There are 4 major players: 1. client - 2. mod_auth_kerb (in Apache process) + 2. mod_auth_gssapi (in Apache process) 3. wsgi handler (in IPA wsgi python process) 4. ds (directory server) @@ -506,12 +506,12 @@ This describes how things work in our current system for the web UI. 2. Client sends post to /ipa/json. - 3. mod_auth_kerb is configured to protect /ipa/json, replies 401 + 3. mod_auth_gssapi is configured to protect /ipa/json, replies 401 authenticate negotiate. 4. Client resends with credentials - 5. mod_auth_kerb validates credentials + 5. mod_auth_gssapi validates credentials a. if invalid replies 403 access denied (stops here) @@ -550,7 +550,7 @@ A few notes about the session implementation. Changes to Apache's resource protection --------------------------------------- - * /ipa/json is no longer protected by mod_auth_kerb. This is + * /ipa/json is no longer protected by mod_auth_gssapi. This is necessary to avoid the negotiate expense in steps 3,4,5 above. Instead the /ipa/json resource will be protected in our wsgi handler via the session cookie. @@ -583,15 +583,15 @@ The new sequence is: 5. client sends request to /ipa/login to obtain session credentials - 6. mod_auth_kerb replies 401 negotiate on /ipa/login + 6. mod_auth_gssapi replies 401 negotiate on /ipa/login 7. client sends credentials to /ipa/login - 8. mod_auth_kerb validates credentials + 8. mod_auth_gssapi validates credentials a. if valid - - mod_auth_kerb permits access to /ipa/login. wsgi handler is + - mod_auth_gssapi permits access to /ipa/login. wsgi handler is invoked and does the following: * establishes session for client @@ -600,7 +600,7 @@ The new sequence is: a. if invalid - - mod_auth_kerb sends 403 access denied (processing stops) + - mod_auth_gssapi sends 403 access denied (processing stops) 9. client now posts the same data again to /ipa/json including session cookie. Processing repeats starting at step 2 and since @@ -617,12 +617,12 @@ and xmlrpc API's are the same, they differ only on how their procedure calls are marshalled and unmarshalled. Under the new scheme /ipa/xml will continue to be Kerberos protected -at all times. Apache's mod_auth_kerb will continue to require the +at all times. Apache's mod_auth_gssapi will continue to require the client provides valid Kerberos credentials. When the WSGI handler routes to /ipa/xml the Kerberos credentials will be extracted from the KRB5CCNAME environment variable as provided by -mod_auth_kerb. Everything else remains the same. +mod_auth_gssapi. Everything else remains the same. ''' diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py index d6bc955b9d9910a24eec5df1def579310eb54786..4173ed918d2ce992aa79d18b2ac3338b35388918 100644 --- a/ipaserver/rpcserver.py +++ b/ipaserver/rpcserver.py @@ -858,7 +858,7 @@ class login_kerberos(Backend, KerberosSession, HTTP_Status): def __call__(self, environ, start_response): self.debug('WSGI login_kerberos.__call__:') - # Get the ccache created by mod_auth_kerb + # Get the ccache created by mod_auth_gssapi user_ccache_name=environ.get('KRB5CCNAME') if user_ccache_name is None: return self.internal_error(environ, start_response, -- 2.1.0
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
