Re: [Freeipa-users] Access to IPA Web-UI with different domain names
On 04/27/2015 06:06 PM, David Dimovski wrote: Hi Folks, does somebody have a best practice, how to access the IPA Web-UI with different domain names? Example: Our IPA 4.1 have two different IPs (extern and intern) with two domain names. The web gui is only accessible from the domain name, which IPA was registered with (intern domain name). When trying to access with the extern domain name, IPA is rewriting to the intern domain name. After disabling the rewriting, the web ui is accessible from the two domain names, but the login is not possible from the extern domain name (only intern domain name), getting the following error: Logout session expired. Does sombody has a idea or a clue? Many thanks in advance! Best regards David Hi, one possible solution would be to setup a reverse proxy with the external domain name, which would be passing the requests from the external world to the internal IPA sever. However, the proxy would need to circumvent our XSS protection and rewrite the HTTP_REFERRER header to the internal hostname. I haven't tested it, so maybe additional issues would come up. Tomas -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Access to IPA Web-UI with different domain names
On 05/04/2015 12:32 PM, Tomas Babej wrote: On 04/27/2015 06:06 PM, David Dimovski wrote: Hi Folks, does somebody have a best practice, how to access the IPA Web-UI with different domain names? Example: Our IPA 4.1 have two different IPs (extern and intern) with two domain names. The web gui is only accessible from the domain name, which IPA was registered with (intern domain name). When trying to access with the extern domain name, IPA is rewriting to the intern domain name. After disabling the rewriting, the web ui is accessible from the two domain names, but the login is not possible from the extern domain name (only intern domain name), getting the following error: Logout session expired. Does sombody has a idea or a clue? Many thanks in advance! Best regards David Hi, one possible solution would be to setup a reverse proxy with the external domain name, which would be passing the requests from the external world to the internal IPA sever. However, the proxy would need to circumvent our XSS protection and rewrite the HTTP_REFERRER header to the internal hostname. I haven't tested it, so maybe additional issues would come up. Tomas For the record, Alexander pointed out that this would not work well, as connections passed by the proxy to the internal IPA instance would be encrypted using the external's server HTTP service ticket. A proper solution here would be to create an IPA replica with the external hostname. Tomas -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Access to IPA Web-UI with different domain names
On 04/27/2015 06:06 PM, David Dimovski wrote: Hi Folks, does somebody have a best practice, how to access the IPA Web-UI with different domain names? Example: Our IPA 4.1 have two different IPs (extern and intern) with two domain names. The web gui is only accessible from the domain name, which IPA was registered with (intern domain name). When trying to access with the extern domain name, IPA is rewriting to the intern domain name. After disabling the rewriting, the web ui is accessible from the two domain names, but the login is not possible from the extern domain name (only intern domain name), getting the following error: Logout session expired. Does sombody has a idea or a clue? Many thanks in advance! Best regards David Hello! IIUC this is not something FreeIPA supports. When you deploy FreeInPA server it is tied to a domain specified during installation. I think you need to decide whether your FreeIPA domain is internal or external. If it's internal it is inaccessible from outside and you need to first connect to the internal network (e.g. use VPN) and then connect to FreeIPA server. If it's external then everything works as expected. -- David Kupka -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Access to IPA Web-UI with different domain names
Hi Folks, does somebody have a best practice, how to access the IPA Web-UI with different domain names? Example: Our IPA 4.1 have two different IPs (extern and intern) with two domain names. The web gui is only accessible from the domain name, which IPA was registered with (intern domain name). When trying to access with the extern domain name, IPA is rewriting to the intern domain name. After disabling the rewriting, the web ui is accessible from the two domain names, but the login is not possible from the extern domain name (only intern domain name), getting the following error: Logout session expired. Does sombody has a idea or a clue? Many thanks in advance! Best regards David -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project