Please ignore, bad copy and paste.

Version 22 of the ipa.conf (the second pasted config section) is the one
that works correctly.

Is there a way to disable Kerberos browser-side popup password box in
version 27 of the ipa.conf file?

Apologies for the confusion :(

On Sat, Dec 30, 2017 at 11:04 AM, Anthony Clark <anthonyclar...@gmail.com>
wrote:

> In the previous versions of FreeIPA, this worked to disable the
> browser-side Kerberos login prompt:
>
> # version 27 ipa.conf
> # Protect /ipa and everything below it in webspace with Apache Kerberos
> auth
> <Location "/ipa">
>   <If "%{HTTP_USER_AGENT} !~ /(Chrome|Mozilla|MSIE)/">
>   AuthType GSSAPI
>   AuthName "Kerberos Login"
>   GssapiCredStore keytab:/etc/httpd/conf/ipa.keytab
>   GssapiCredStore client_keytab:/etc/httpd/conf/ipa.keytab
>   GssapiDelegCcacheDir /var/run/httpd/ipa/clientcaches
>   GssapiDelegCcacheUnique On
>   GssapiUseS4U2Proxy on
>   GssapiAllowedMech krb5
>   Require valid-user
>   ErrorDocument 401 /ipa/errors/unauthorized.html
>   </If>
>   WSGIProcessGroup ipa
>   WSGIApplicationGroup ipa
>   Header always append X-Frame-Options DENY
>   Header always append Content-Security-Policy "frame-ancestors 'none'"
> </Location>
>
> I've been asked to disable the password dialog popup because it is
> confusing to end users.
>
> Before, in ipa.conf this worked to disable the dialog popup:
>
> # version 22 ipa.conf
> # Protect /ipa and everything below it in webspace with Apache Kerberos
> auth
> <Location "/ipa">
>   <If "%{HTTP_USER_AGENT} !~ /(Chrome|Mozilla|MSIE)/">
>   AuthType GSSAPI
>   AuthName "Kerberos Login"
>   GssapiCredStore keytab:/etc/httpd/conf/ipa.keytab
>   GssapiCredStore client_keytab:/etc/httpd/conf/ipa.keytab
>   GssapiDelegCcacheDir /var/run/httpd/ipa/clientcaches
>   GssapiDelegCcacheUnique On
>   GssapiUseS4U2Proxy on
>   GssapiAllowedMech krb5
>   Require valid-user
>   ErrorDocument 401 /ipa/errors/unauthorized.html
>   </If>
>   WSGIProcessGroup ipa
>   WSGIApplicationGroup ipa
>   Header always append X-Frame-Options DENY
>   Header always append Content-Security-Policy "frame-ancestors 'none'"
> </Location>
>
> But inserting the "If useragent = chrome/ie" now just gives me a
> "forbidden" popup.
>
> Does anyone know of a way to disable the browser's Kerberos password popup?
>
> Thanks,
>
> Anthony Clark
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to