X-Git-Url: http://git.cascardo.info/?p=cascardo%2Fipsilon.git;a=blobdiff_plain;f=README;h=9bde0cc370eb9fae8b22fb04c6b001c2a378e1bd;hp=78f8ee2b6cb1b3b052848e8cfffb335283ddb1fd;hb=effa209e386930ad705f255e61c24a5dfb057987;hpb=5fbd0275bf0263e0bfb384a51dbe144c90c9f57b diff --git a/README b/README index 78f8ee2..9bde0cc 100644 --- a/README +++ b/README @@ -14,7 +14,8 @@ completely agnostic of what authentication infrastructure is being used. Applications can currently use the SAML2[2] protocol to talk to the Ipsilon identity provider, an application that uses SAML is called a Service Provider. -Ipsilon uses the LASSO[3] libraries an Python bindings to implement SAML support. +Ipsilon uses the LASSO[3] libraries and Python bindings to implement SAML +support. Ipsilon Server Installation =========================== @@ -27,9 +28,9 @@ Prerequisites: - A keytab if Kerberos authentication is desired - An unprivileged user to run the Ipsilon code (defaults to 'ipsilon') -Currently there are only two available authentication modules, Kerberos and -PAM. The Kerberos module uses mod_auth_kerb (which it will configure for you at -install time), the Pam module simply uses the PAM stack with a default service +Currently there are only two available authentication modules, GSSAPI and +PAM. The Kerberos module uses mod_auth_gssapi (which it will configure for +you at install time), the Pam module simply uses the PAM stack with a default service name set to 'remote'. NOTE: The PAM module is invoked as an unprivileged user so if you are using the @@ -38,7 +39,7 @@ not work properly. Please use a different PAM module, like pam_sss, pam_ldap, etc.. Before you run the install script make sure to create an administrative user -that can be authenticated either via PAM or Kerberos. The default name the +that can be authenticated either via PAM or GSSAPI. The default name the installation script expects is 'admin' but that can be changed with the command line option named --admin-user @@ -49,9 +50,10 @@ name is referenced and resolved by remote clients. Other options are available by running ipsilon-server-install --help -To install a server that allow both Kerberos and PAM authentication use: +To install a server that allow both GSSAPI (Kerberos) and PAM authentication +use: - $ ipsilon-server-install --krb=yes --pam=yes + $ ipsilon-server-install --gssapi=yes --pam=yes This command will generate a default instance called 'idp' (you can change the default name using the --instance switch). Multiple instance can be installed @@ -62,10 +64,17 @@ Instances are configured to be available at https://hostname/instance So for a server called ipsilon.example.com, using the default installation options the IdP will be available at https://ipsilon.example.com/idp/ +The install script expects to find the keytab in /etc/httpd/conf/http.keytab + NOTE: If you are installing Ipsilon in a FreeIPA[4] environment you can use the --ipa switch to simplify the deployment. Using the --ipa switch will allow the use of your IPA Kerberos administrative credentials to automatically provision -a keytab for the HTTP service if one is not available yet. +a keytab for the HTTP service if one is not available yet. You will likely +want to use the --admin-user option to specify the full principal of the user +who will administer Ipsilon. For example to use the FreeIPA admin user for +the EXAMPLE.COM realm, you would use: + + $ ipsilon-server-install --ipa --admin-user admin@EXAMPLE.COM Once the script has successfully completed the installation, restart the Apache HTTPD server to activate it.