Please ignore, bad copy and paste.
Version 22 of the ipa.conf (the second pasted config section) is the one
that works correctly.
Is there a way to disable Kerberos browser-side popup password box in
version 27 of the ipa.conf file?
Apologies for the confusion :(
On Sat, Dec 30, 2017 at 11:04 AM, Anthony Clark
wrote:
> In the previous versions of FreeIPA, this worked to disable the
> browser-side Kerberos login prompt:
>
> # version 27 ipa.conf
> # Protect /ipa and everything below it in webspace with Apache Kerberos
> auth
>
>
> AuthType GSSAPI
> AuthName "Kerberos Login"
> GssapiCredStore keytab:/etc/httpd/conf/ipa.keytab
> GssapiCredStore client_keytab:/etc/httpd/conf/ipa.keytab
> GssapiDelegCcacheDir /var/run/httpd/ipa/clientcaches
> GssapiDelegCcacheUnique On
> GssapiUseS4U2Proxy on
> GssapiAllowedMech krb5
> Require valid-user
> ErrorDocument 401 /ipa/errors/unauthorized.html
>
> WSGIProcessGroup ipa
> WSGIApplicationGroup ipa
> Header always append X-Frame-Options DENY
> Header always append Content-Security-Policy "frame-ancestors 'none'"
>
>
> I've been asked to disable the password dialog popup because it is
> confusing to end users.
>
> Before, in ipa.conf this worked to disable the dialog popup:
>
> # version 22 ipa.conf
> # Protect /ipa and everything below it in webspace with Apache Kerberos
> auth
>
>
> AuthType GSSAPI
> AuthName "Kerberos Login"
> GssapiCredStore keytab:/etc/httpd/conf/ipa.keytab
> GssapiCredStore client_keytab:/etc/httpd/conf/ipa.keytab
> GssapiDelegCcacheDir /var/run/httpd/ipa/clientcaches
> GssapiDelegCcacheUnique On
> GssapiUseS4U2Proxy on
> GssapiAllowedMech krb5
> Require valid-user
> ErrorDocument 401 /ipa/errors/unauthorized.html
>
> WSGIProcessGroup ipa
> WSGIApplicationGroup ipa
> Header always append X-Frame-Options DENY
> Header always append Content-Security-Policy "frame-ancestors 'none'"
>
>
> But inserting the "If useragent = chrome/ie" now just gives me a
> "forbidden" popup.
>
> Does anyone know of a way to disable the browser's Kerberos password popup?
>
> Thanks,
>
> Anthony Clark
>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org