On 02/15/2016 02:12 PM, Wanderley Mayhé wrote:

Hello Rob

Regarding the thread
https://www.redhat.com/archives/freeipa-users/2010-July/msg00022.html I
have tested to set KrbMethodK5Passwd to “on” and restarted httpd but IPA
Web UI was still trying to auto-login user through a browser dialog.

In order to effectively disable this browser dialog, I had to edit

and add this line set KrbMethodNegotiate to off as follows (and restarted

# Protect /ipa and everything below it in webspace with Apache Kerberos

<Location "/ipa">

   AuthType Kerberos

   AuthName "Kerberos Login"

##  KrbMethodNegotiate on

KrbMethodNegotiate off

   KrbMethodK5Passwd off

   KrbServiceName HTTP

   KrbAuthRealms IBP.ORG.BR

   Krb5KeyTab /etc/httpd/conf/ipa.keytab

   KrbSaveCredentials on

   KrbConstrainedDelegation on

   Require valid-user

   ErrorDocument 401 /ipa/errors/unauthorized.html


Am I correct to assume that that JSON API will not be affected by this


Is there any major problems this setting could cause?

Yes, it would affect the API :)

Better option would be to modify Web UI with UI plugin to skip Kerberous auth - harder to explain.

Or easier thing might be to modify ipa.conf in a way that /ipa/session/login_kerberos would not return negotiate headers but would fail immediately with 401.

Petr Vobornik

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to