[Freeipa-users] Re: ipa command breaks by setting "NSSVerifyClient require"

2017-05-31 Thread Ian Pilcher via FreeIPA-users
On 05/30/2017 06:29 PM, Fraser Tweedale wrote: What you are missing: the client tools do not support certificate authentication (yet). Well yes, but it's not clear that the OP needs/wants to support the client tools via the Internet. My impression was that they only needed to support the web U

[Freeipa-users] Re: ipa command breaks by setting "NSSVerifyClient require"

2017-05-30 Thread Ivars Strazdiņš via FreeIPA-users
> On 2017. gada 30. maijs, at 21:16, Ian Pilcher via FreeIPA-users > wrote: > > On 05/29/2017 07:15 PM, Fraser Tweedale via FreeIPA-users wrote: >> On Mon, May 29, 2017 at 06:26:31PM +0530, Ivars Strazdiņš wrote: >>> I am not saying “instead of”. We are using standard authetication provided >>

[Freeipa-users] Re: ipa command breaks by setting "NSSVerifyClient require"

2017-05-30 Thread Fraser Tweedale via FreeIPA-users
On Tue, May 30, 2017 at 10:46:59AM -0500, Ian Pilcher via FreeIPA-users wrote: > On 05/29/2017 07:15 PM, Fraser Tweedale via FreeIPA-users wrote: > > On Mon, May 29, 2017 at 06:26:31PM +0530, Ivars Strazdiņš wrote: > > > I am not saying “instead of”. We are using standard authetication > > > provi

[Freeipa-users] Re: ipa command breaks by setting "NSSVerifyClient require"

2017-05-30 Thread Ian Pilcher via FreeIPA-users
On 05/29/2017 07:15 PM, Fraser Tweedale via FreeIPA-users wrote: On Mon, May 29, 2017 at 06:26:31PM +0530, Ivars Strazdiņš wrote: I am not saying “instead of”. We are using standard authetication provided by FreeIPA, but I want to protect Web UI interface from unwanted attention as it is, unfo

[Freeipa-users] Re: ipa command breaks by setting "NSSVerifyClient require"

2017-05-29 Thread Fraser Tweedale via FreeIPA-users
On Mon, May 29, 2017 at 06:26:31PM +0530, Ivars Strazdiņš wrote: > I am not saying “instead of”. We are using standard authetication provided by > FreeIPA, but I want to protect Web UI interface from unwanted attention as it > is, unfortunately, exposed to entire internet. I’d be much happier if

[Freeipa-users] Re: ipa command breaks by setting "NSSVerifyClient require"

2017-05-29 Thread Ivars Strazdiņš via FreeIPA-users
I am not saying “instead of”. We are using standard authetication provided by FreeIPA, but I want to protect Web UI interface from unwanted attention as it is, unfortunately, exposed to entire internet. I’d be much happier if Apache could reject (or redirect) any client which is not presenting r

[Freeipa-users] Re: ipa command breaks by setting "NSSVerifyClient require"

2017-05-29 Thread Fraser Tweedale via FreeIPA-users
On Mon, May 29, 2017 at 01:50:28PM +0300, Alexander Bokovoy via FreeIPA-users wrote: > On la, 27 touko 2017, Ivars Strazdiņš via FreeIPA-users wrote: > > Hi there, > > our IPA servers' https port is exposed to internet. I wanted to restrict > > access to Web UI by requesting a user certificate is

[Freeipa-users] Re: ipa command breaks by setting "NSSVerifyClient require"

2017-05-29 Thread Alexander Bokovoy via FreeIPA-users
On la, 27 touko 2017, Ivars Strazdiņš via FreeIPA-users wrote: Hi there, our IPA servers' https port is exposed to internet. I wanted to restrict access to Web UI by requesting a user certificate issued by IPA and enabling Apache setting "NSSVerifyClient require" (or "optional") in /etc/httpd/c