Hello,

On 02/15/2016 02:12 PM, Wanderley Mayhé wrote:


Hello Rob



Regarding the thread
https://www.redhat.com/archives/freeipa-users/2010-July/msg00022.html I
have tested to set KrbMethodK5Passwd to “on” and restarted httpd but IPA
Web UI was still trying to auto-login user through a browser dialog.



In order to effectively disable this browser dialog, I had to edit
/etc/httpd/conf.d/ipa.conf

and add this line set KrbMethodNegotiate to off as follows (and restarted
httpd):





# Protect /ipa and everything below it in webspace with Apache Kerberos
auth

<Location "/ipa">

   AuthType Kerberos

   AuthName "Kerberos Login"

##  KrbMethodNegotiate on

KrbMethodNegotiate off

   KrbMethodK5Passwd off

   KrbServiceName HTTP

   KrbAuthRealms IBP.ORG.BR

   Krb5KeyTab /etc/httpd/conf/ipa.keytab

   KrbSaveCredentials on

   KrbConstrainedDelegation on

   Require valid-user

   ErrorDocument 401 /ipa/errors/unauthorized.html

</Location>



Am I correct to assume that that JSON API will not be affected by this
change?

No


Is there any major problems this setting could cause?


Yes, it would affect the API :)

Better option would be to modify Web UI with UI plugin to skip Kerberous auth - harder to explain.

Or easier thing might be to modify ipa.conf in a way that /ipa/session/login_kerberos would not return negotiate headers but would fail immediately with 401.

--
Petr Vobornik

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to