Apparently removing the GSSAPI AuthType breaks foreman-proxy, so I had to
do this:

<Location "/ipa">
  <If "%{HTTP_HOST} != 'password.example.net'">
    AuthType GSSAPI
    AuthName "Kerberos Login"
    GssapiCredStore keytab:/etc/httpd/conf/ipa.keytab
    GssapiCredStore client_keytab:/etc/httpd/conf/ipa.keytab
    GssapiDelegCcacheDir /var/run/httpd/ipa/clientcaches
    GssapiUseS4U2Proxy on
    Require valid-user
    ErrorDocument 401 /ipa/errors/unauthorized.html
  </If>
    WSGIProcessGroup ipa
    WSGIApplicationGroup ipa
</Location>

Apologies for the post spam.

On Tue, Jun 7, 2016 at 9:50 AM, Anthony Clark <anthonyclar...@gmail.com>
wrote:

> One thing I noticed was that once I had set up the proxy as per the
> document from Jan, I was getting access denied to /ipa until I disabled the
> Kerberos authentication stuff:
>
> # Protect /ipa and everything below it in webspace with Apache Kerberos
> auth
> <Location "/ipa">
> #  AuthType GSSAPI
> #  AuthName "Kerberos Login"
> #  GssapiCredStore keytab:/etc/httpd/conf/ipa.keytab
> #  GssapiCredStore client_keytab:/etc/httpd/conf/ipa.keytab
> #  GssapiDelegCcacheDir /var/run/httpd/ipa/clientcaches
> #  GssapiUseS4U2Proxy on
> #  Require valid-user
> #  ErrorDocument 401 /ipa/errors/unauthorized.html
>   WSGIProcessGroup ipa
>   WSGIApplicationGroup ipa
> </Location>
>
>
>
> Once that change was made, the following proxy worked:
>
> Listen 9443
>
> <VirtualHost *:9443>
>
> ErrorLog /etc/httpd/logs/password-error_log
> TransferLog /etc/httpd/logs/password-access_log
> LogLevel debug
>
> NSSEngine on
>
> NSSCipherSuite
> +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha
>
> NSSProtocol TLSv1.0,TLSv1.1,TLSv1.2
>
> NSSNickname Server-Cert
>
> NSSCertificateDatabase /etc/httpd/alias
>
> NSSProxyEngine on
> NSSProxyCipherSuite
> +rsa_rc4_128_md5,+rsa_rc4_128_sha,+rsa_3des_sha,-rsa_des_sha,-rsa_rc4_40_md5,-rsa_rc2_40_md5,-rsa_null_md5,-rsa_null_sha,+fips_3des_sha,-fips_des_sha,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,-rsa_des_56_sha,-rsa_rc4_56_sha,+rsa_aes_128_sha,+rsa_aes_256_sha
>
> ProxyPass / https://ns01.dev.example.net/
> ProxyPassReverse / https://ns01.dev.example.net/
> ProxyPassReverseCookieDomain ns01.dev.example.net password.example.net
> RequestHeader edit Referer ^https://password\.example\.net/
> https://ns01.dev.example.net/
> </VirtualHost>
>
> I hope this helps someone down the line.
>
> -Anthony Clark
>
>
> On Mon, Jun 6, 2016 at 7:29 AM, Karl Forner <karl.for...@gmail.com> wrote:
>
>> Thanks a lot Jan. It works perfectly, and it is crystal-clear.
>> Best,
>> Karl
>>
>> On Mon, Jun 6, 2016 at 11:13 AM, Jan Pazdziora <jpazdzi...@redhat.com>
>> wrote:
>> > On Fri, Jun 03, 2016 at 10:42:59PM +0200, Jan Pazdziora wrote:
>> >>
>> >> Hope this helps. I will likely do another writeup about this setup.
>> >
>> >
>> https://www.adelton.com/freeipa/freeipa-behind-proxy-with-different-name
>> >
>> > --
>> > Jan Pazdziora
>> > Senior Principal Software Engineer, Identity Management Engineering,
>> Red Hat
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>>
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to