On Tue, Jun 07, 2016 at 09:50:07AM -0400, Anthony Clark wrote:
> One thing I noticed was that once I had set up the proxy as per the
> document from Jan, I was getting access denied to /ipa until I disabled the
> Kerberos authentication stuff:
> 
> # Protect /ipa and everything below it in webspace with Apache Kerberos auth
> <Location "/ipa">
> #  AuthType GSSAPI
> #  AuthName "Kerberos Login"
> #  GssapiCredStore keytab:/etc/httpd/conf/ipa.keytab
> #  GssapiCredStore client_keytab:/etc/httpd/conf/ipa.keytab
> #  GssapiDelegCcacheDir /var/run/httpd/ipa/clientcaches
> #  GssapiUseS4U2Proxy on
> #  Require valid-user
> #  ErrorDocument 401 /ipa/errors/unauthorized.html
>   WSGIProcessGroup ipa
>   WSGIApplicationGroup ipa
> </Location>

Could you be more specific about the issue? What actions were you
doing and at what point did you see the access denied, perhaps also
increase the LogLevel to debug in the FreeIPA's Apache configuration
and check the error_log and ssl_error_log.

I did not observe the access denied before or after logging in and I'd
like to get to the root of this.

Thank you,

-- 
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to