On Mon, 03 Feb 2014, Steve Severance wrote:
Yes it works if I specify the -s as ldap.mycorp.com. So we have progress!
It now appears to authenticate fine when it posts the session but I have a
new error.

I get an Ipa Error 911 "Missing HTTP referer. <br/> You have to configure
your browser to send HTTP referer header." I assume this is because the
external name doesn't match the internal name. Is there a way to modify
this somewhere?
You can read https://bugzilla.redhat.com/show_bug.cgi?id=747710 for
details and https://rhn.redhat.com/errata/RHSA-2011-1533.html is the
security errata addressing it.

We are deliberately closing cross-site forgery by enforcing
HTTP referrer checks.

Your nginx proxy would be a middle man which we are attempting to
protect against.

Recent discussions on how to allow your use case but still keep the
security tight can be seen here:
http://comments.gmane.org/gmane.linux.redhat.freeipa.user/8920 (latter
part of the thread). Discussion stalled since then.


Thanks.

Steve


On Mon, Feb 3, 2014 at 4:40 AM, Sumit Bose <sb...@redhat.com> wrote:

On Fri, Jan 31, 2014 at 01:50:58PM -0800, Steve Severance wrote:
> Hi Sumit, That does indeed work. What does that tell us?

I'm sorry, but it only tells that in general GSSAPI/Kerberos is working.
I think it does not help much with your original issue. About
ipa-getkeytab, does it work if you specify the server with the
-s/--server option?


bye,
Sumit

>
> Steve
>
>
> On Wed, Jan 29, 2014 at 12:11 AM, Sumit Bose <sb...@redhat.com> wrote:
>
> > On Tue, Jan 28, 2014 at 02:29:07PM -0800, Steve Severance wrote:
> > > Hi Everyone,
> > >
> > > I have deployed freeipa inside our production network. I want to be
able
> > to
> > > access the web ui so I am attempting to add it to our nginx edge
> > machine. I
> > > can pass the requests upstream just fine but I am unable to login
using a
> > > username/password. I have enabled password authentication in the
kerberos
> > > section of the freeipa httpd config file. In the logs it looks like
the
> > > authentication succeeds and a ticket is issued. I assume that the
cookie
> > > that is returned (ipa_session) has the authentication information in
it.
> > > The subsequent call to get json data fails and I am prompted to login
> > again.
> > >
> > > I found this thread (
> > >
https://www.redhat.com/archives/freeipa-users/2013-August/msg00080.html)
> > > which has instructions on adding ipa.mydomain.com to the keytab.
When I
> > > call ipa-getkeytab it hangs for a bit before returning:
> > ldap_sasl_bind(SIMPLE):
> > > Can't contact LDAP server (-1)
> > >
> > > Digging into this if I run: ldapsearch -d 1 -v -H ldaps://
> > ldap.mydomain.com
> > >
> > > I get:
> > > ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
> > >         additional info: SASL(-4): no mechanism available:
> >
> > Does it work if you add the mechanism explicitly, e.g. 'ldapsearch -Y
> > GSSAPI ....' ?
> >
> > bye,
> > Sumit
> >
> > >
> > > So we seem to have a SASL problem. If I run ldapsearch with -x simple
> > > authentication works just fine.
> > >
> > > Do I need to do something special to enable SASL so I can get the
keytab?
> > > The ipa-getkeytab command does not seem to have an option to use
simple
> > > authentication.
> > >
> > > Thanks.
> > >
> > > Steve
> >
> > > _______________________________________________
> > > Freeipa-users mailing list
> > > Freeipa-users@redhat.com
> > > https://www.redhat.com/mailman/listinfo/freeipa-users
> >




--
Steve Severance
Director of Engineering
Altos Research

e. st...@altosresearch.com
m. (240) 472 - 9645

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


--
/ Alexander Bokovoy

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to