On Wed, 2011-09-21 at 16:10 -0400, Rob Crittenden wrote:
> Ian Stokes-Rees wrote:
> > It appears that FreeIPA v2 includes the hostname in web-based URLs and
> > redirects. This isn't good if the server is sitting behind a proxy
> > server or if a user is trying to use port forwarding (as I am now) to
> > access the system.

It is a problem only if you are using port forwarding which is a
configuration we do not support.
Proxy servers are completely transparent wrt that, proxies do not
rewrite URLs.

You should use the SOCKS option of SSH if you need to port forward and
configure your browser to use the port you set up as a SOCKS proxy.

This should make your situation work w/o changes to the apache
configuration.

> > Is there some way to configure this behavior to avoid it happening? If
> > so, shouldn't that be the default?
> >
> 
> Kerberos and SSL are very specific about what host they want to talk to 
> so we have some mod_redirect rules to make sure we are talking to the 
> right FQDN over SSL.
> 
> You can disable these in /etc/httpd/conf.d/ipa-rewrite.conf if you'd like.

Note that if you disable that, Kerberos auth will fail and you'll
probably end up enabling basic auth which is bad, (heavy weight on the
KDC and also stores your kerberos password in the browser).

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to