Hello,
On 02/15/2016 02:12 PM, Wanderley Mayhé wrote:
Hello Rob
Regarding the thread
https://www.redhat.com/archives/freeipa-users/2010-July/msg00022.html I
have tested to set KrbMethodK5Passwd to “on” and restarted httpd but IPA
Web UI was still trying to auto-login user through a browser dialog.
In order to effectively disable this browser dialog, I had to edit
/etc/httpd/conf.d/ipa.conf
and add this line set KrbMethodNegotiate to off as follows (and restarted
httpd):
# Protect /ipa and everything below it in webspace with Apache Kerberos
auth
AuthType Kerberos
AuthName "Kerberos Login"
## KrbMethodNegotiate on
KrbMethodNegotiate off
KrbMethodK5Passwd off
KrbServiceName HTTP
KrbAuthRealms IBP.ORG.BR
Krb5KeyTab /etc/httpd/conf/ipa.keytab
KrbSaveCredentials on
KrbConstrainedDelegation on
Require valid-user
ErrorDocument 401 /ipa/errors/unauthorized.html
Am I correct to assume that that JSON API will not be affected by this
change?
No
Is there any major problems this setting could cause?
Yes, it would affect the API :)
Better option would be to modify Web UI with UI plugin to skip Kerberous
auth - harder to explain.
Or easier thing might be to modify ipa.conf in a way that
/ipa/session/login_kerberos would not return negotiate headers but would
fail immediately with 401.
--
Petr Vobornik
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project