- A keytab if Kerberos authentication is desired
- An unprivileged user to run the Ipsilon code (defaults to 'ipsilon')
-Currently there are only two available authentication modules, Kerberos and
+Currently there are only two available authentication modules, GSSAPI and
PAM. The Kerberos module uses mod_auth_gssapi (which it will configure for
you at install time), the Pam module simply uses the PAM stack with a default service
name set to 'remote'.
etc..
Before you run the install script make sure to create an administrative user
-that can be authenticated either via PAM or Kerberos. The default name the
+that can be authenticated either via PAM or GSSAPI. The default name the
installation script expects is 'admin' but that can be changed with the command
line option named --admin-user
Other options are available by running ipsilon-server-install --help
-To install a server that allow both Kerberos and PAM authentication use:
+To install a server that allow both GSSAPI (Kerberos) and PAM authentication
+use:
- $ ipsilon-server-install --krb=yes --pam=yes
+ $ ipsilon-server-install --gssapi=yes --pam=yes
This command will generate a default instance called 'idp' (you can change the
default name using the --instance switch). Multiple instance can be installed
summary: IPA helpers
Group: System Environment/Base
License: GPLv3+
-Requires: %{name}-authkrb = %{version}-%{release}
+Requires: %{name}-authgssapi = %{version}-%{release}
Requires: %{name}-authform = %{version}-%{release}
%if 0%{?rhel}
Requires: ipa-client
Provides a login plugin to authenticate against the local PAM stack
-%package authkrb
+%package authgssapi
Summary: mod_auth_gssapi based login plugin
Group: System Environment/Base
License: GPLv3+
Requires: mod_auth_gssapi
BuildArch: noarch
-%description authkrb
+%description authgssapi
Provides a login plugin to allow authentication via the mod_auth_gssapi
Apache module.
%files authpam
%{python2_sitelib}/ipsilon/login/authpam*
-%files authkrb
-%{python2_sitelib}/ipsilon/login/authkrb*
-%{_datadir}/ipsilon/templates/login/krb.html
+%files authgssapi
+%{python2_sitelib}/ipsilon/login/authgssapi*
+%{_datadir}/ipsilon/templates/login/gssapi.html
%files authldap
%{python2_sitelib}/ipsilon/login/authldap*
WSGIDaemonProcess idp maximum-requests=2 user=ipsilon group=ipsilon
WSGIProcessGroup idp
-<Location /idp/login/krb/negotiate>
- AuthType Kerberos
- AuthName "Kerberos Login"
- KrbMethodNegotiate on
- KrbMethodK5Passwd off
- KrbServiceName HTTP
- KrbAuthRealms IPA.DEV.LAN
- Krb5KeyTab /etc/httpd/conf/http.keytab
- KrbSaveCredentials off
- KrbConstrainedDelegation off
- KrbLocalUserMapping On
+<Location /idp/login/gssapi/negotiate>
+ AuthType GSSAPI
+ AuthName "GSSAPI Single Sign On Login"
+ GssapiCredStore /etc/httpd/conf/http.keytab
+ GssapiSSLonly On
+ GssapiLocalName on
Require valid-user
- ErrorDocument 401 /idp/login/krb/unauthorized
+ ErrorDocument 401 /idp/login/gssapi/unauthorized
+ ErrorDocument 500 /idp/login/gssapi/failed
</Location>
<Directory /usr/libexec>
raise Exception('No IPA tools found!')
# Check if we already have a keytab for HTTP
- if 'krb_httpd_keytab' in opts:
- msg = "Searching for keytab in: %s" % opts['krb_httpd_keytab']
+ if 'gssapi_httpd_keytab' in opts:
+ msg = "Searching for keytab in: %s" % opts['gssapi_httpd_keytab']
print >> sys.stdout, msg,
- if os.path.exists(opts['krb_httpd_keytab']):
+ if os.path.exists(opts['gssapi_httpd_keytab']):
print >> sys.stdout, "... Found!"
return
else:
msg = "Searching for keytab in: %s" % HTTPD_IPA_KEYTAB
print >> sys.stdout, msg,
if os.path.exists(HTTPD_IPA_KEYTAB):
- opts['krb_httpd_keytab'] = HTTPD_IPA_KEYTAB
+ opts['gssapi_httpd_keytab'] = HTTPD_IPA_KEYTAB
print >> sys.stdout, "... Found!"
return
else:
try:
msg = "Trying to fetch keytab[%s] for %s" % (
- opts['krb_httpd_keytab'], princ)
+ opts['gssapi_httpd_keytab'], princ)
print >> sys.stdout, msg,
subprocess.check_output([IPA_GETKEYTAB,
'-s', server, '-p', princ,
- '-k', opts['krb_httpd_keytab']],
+ '-k', opts['gssapi_httpd_keytab']],
stderr=subprocess.STDOUT)
except subprocess.CalledProcessError, e:
# unfortunately this one is fatal
# Fixup permissions so only the ipsilon user can read these files
pw = pwd.getpwnam(HTTPD_USER)
- os.chown(opts['krb_httpd_keytab'], pw.pw_uid, pw.pw_gid)
+ os.chown(opts['gssapi_httpd_keytab'], pw.pw_uid, pw.pw_gid)
def configure_server(self, opts):
if opts['ipa'] != 'yes' and opts['ipa'] != 'auto':
return
- if opts['ipa'] != 'yes' and opts['krb'] == 'no':
+ if opts['ipa'] != 'yes' and opts['gssapi'] == 'no':
return
self.logger = logging.getLogger()
self.get_keytab(opts)
- # Forcibly use krb then pam modules
+ # Forcibly use gssapi then pam modules
if 'lm_order' not in opts:
opts['lm_order'] = []
- opts['krb'] = 'yes'
- if 'krb' not in opts['lm_order']:
- opts['lm_order'].insert(0, 'krb')
+ opts['gssapi'] = 'yes'
+ if 'gssapi' not in opts['lm_order']:
+ opts['lm_order'].insert(0, 'gssapi')
opts['form'] = 'yes'
if not any(lm in opts['lm_order'] for lm in ('form', 'pam')):
opts['lm_order'].append('form')
import os
-class Krb(LoginPageBase):
+class GSSAPI(LoginPageBase):
def root(self, *args, **kwargs):
# Someone typed manually or a robot is walking th tree.
return self.lm.redirect_to_path(self.lm.path)
-class KrbAuth(LoginPageBase):
+class GSSAPIAuth(LoginPageBase):
def root(self, *args, **kwargs):
trans = self.get_valid_transaction('login', **kwargs)
if not self.user.is_anonymous:
principal = cherrypy.request.wsgi_environ.get('GSS_NAME', None)
if principal:
- userdata = {'krb_principal_name': principal}
+ userdata = {'gssapi_principal_name': principal}
else:
- userdata = {'krb_principal_name': self.user.name}
+ userdata = {'gssapi_principal_name': self.user.name}
return self.lm.auth_successful(trans, self.user.name,
- 'krb', userdata)
+ 'gssapi', userdata)
else:
return self.lm.auth_failed(trans)
-class KrbError(LoginPageBase):
+class GSSAPIError(LoginPageBase):
def root(self, *args, **kwargs):
cherrypy.log.error('REQUEST: %s' % cherrypy.request.headers)
return next_login.page.root(*args, **kwargs)
conturl = '%s/login' % self.basepath
- return self._template('login/krb.html',
- title='Kerberos Login',
+ return self._template('login/gssapi.html',
+ title='GSSAPI Login',
cont=conturl)
# If we get here, negotiate failed
def __init__(self, *args, **kwargs):
super(LoginManager, self).__init__(*args, **kwargs)
- self.name = 'krb'
- self.path = 'krb/negotiate'
+ self.name = 'gssapi'
+ self.path = 'gssapi/negotiate'
self.page = None
self.description = """
-Kerberos Negotiate authentication plugin. Relies on the mod_auth_gssapi
+GSSAPI Negotiate authentication plugin. Relies on the mod_auth_gssapi
apache plugin for actual authentication. """
self.new_config(self.name)
def get_tree(self, site):
- self.page = Krb(site, self)
- self.page.__dict__['negotiate'] = KrbAuth(site, self)
- self.page.__dict__['unauthorized'] = KrbError(site, self)
- self.page.__dict__['failed'] = KrbError(site, self)
+ self.page = GSSAPI(site, self)
+ self.page.__dict__['negotiate'] = GSSAPIAuth(site, self)
+ self.page.__dict__['unauthorized'] = GSSAPIError(site, self)
+ self.page.__dict__['failed'] = GSSAPIError(site, self)
return self.page
CONF_TEMPLATE = """
-<Location /${instance}/login/krb/negotiate>
+<Location /${instance}/login/gssapi/negotiate>
AuthType GSSAPI
AuthName "GSSAPI Single Sign On Login"
$keytab
GssapiLocalName on
Require valid-user
- ErrorDocument 401 /${instance}/login/krb/unauthorized
- ErrorDocument 500 /${instance}/login/krb/failed
+ ErrorDocument 401 /${instance}/login/gssapi/unauthorized
+ ErrorDocument 500 /${instance}/login/gssapi/failed
</Location>
"""
def __init__(self, *pargs):
super(Installer, self).__init__()
- self.name = 'krb'
+ self.name = 'gssapi'
self.pargs = pargs
def install_args(self, group):
- group.add_argument('--krb', choices=['yes', 'no'], default='no',
- help='Configure Kerberos authentication')
- group.add_argument('--krb-httpd-keytab',
+ group.add_argument('--gssapi', choices=['yes', 'no'], default='no',
+ help='Configure GSSAPI authentication')
+ group.add_argument('--gssapi-httpd-keytab',
default='/etc/httpd/conf/http.keytab',
help='Kerberos keytab location for HTTPD')
def configure(self, opts):
- if opts['krb'] != 'yes':
+ if opts['gssapi'] != 'yes':
return
confopts = {'instance': opts['instance']}
- if os.path.exists(opts['krb_httpd_keytab']):
+ if os.path.exists(opts['gssapi_httpd_keytab']):
confopts['keytab'] = 'GssapiCredStore keytab:%s' % (
- opts['krb_httpd_keytab'])
+ opts['gssapi_httpd_keytab'])
else:
raise Exception('Keytab not found')
# Add configuration data to database
po = PluginObject(*self.pargs)
- po.name = 'krb'
+ po.name = 'gssapi'
po.wipe_data()
- # Update global config, put 'krb' always first
+ # Update global config, put 'gssapi' always first
ph = self.pargs[0]
ph.refresh_enabled()
- if 'krb' not in ph.enabled:
+ if 'gssapi' not in ph.enabled:
enabled = []
enabled.extend(ph.enabled)
- enabled.insert(0, 'krb')
+ enabled.insert(0, 'gssapi')
ph.save_enabled(enabled)
elif nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_TRANSIENT:
nameid = '_' + uuid.uuid4().hex
elif nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_KERBEROS:
- nameid = us.get_data('user', 'krb_principal_name')
+ nameid = us.get_data('user', 'gssapi_principal_name')
elif nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_EMAIL:
nameid = us.get_user().email
if not nameid:
validity = int(opts['saml2_metadata_validity'])
meta = IdpMetadataGenerator(url, cert,
timedelta(validity))
- if 'krb' in opts and opts['krb'] == 'yes':
+ if 'gssapi' in opts and opts['gssapi'] == 'yes':
meta.meta.add_allowed_name_format(
lasso.SAML2_NAME_IDENTIFIER_FORMAT_KERBEROS)
'secure': 'no',
'testauth': 'yes',
'pam': 'no',
- 'krb': 'no',
+ 'gssapi': 'no',
'ipa': 'no',
'server_debugging': 'True'}
'secure': 'no',
'testauth': 'yes',
'pam': 'no',
- 'krb': 'no',
+ 'gssapi': 'no',
'ipa': 'no',
'server_debugging': 'True'}
'instance': '${NAME}',
'secure': 'no',
'pam': 'no',
- 'krb': 'no',
+ 'gssapi': 'no',
'ipa': 'no',
'ldap': 'yes',
'ldap_server_url': 'ldap://${ADDRESS}:45389/',
'openid': 'yes',
'openid_extensions': 'Attribute Exchange,Simple Registration,Teams',
'pam': 'no',
- 'krb': 'no',
+ 'gssapi': 'no',
'ipa': 'no',
'server_debugging': 'True'}
'secure': 'no',
'testauth': 'yes',
'pam': 'no',
- 'krb': 'no',
+ 'gssapi': 'no',
'ipa': 'no',
'server_debugging': 'True'}
'secure': 'no',
'testauth': 'yes',
'pam': 'no',
- 'krb': 'no',
+ 'gssapi': 'no',
'ipa': 'no',
'server_debugging': 'True'}
'secure': 'no',
'testauth': 'yes',
'pam': 'no',
- 'krb': 'no',
+ 'gssapi': 'no',
'ipa': 'no',
'server_debugging': 'True'}
'secure': 'no',
'testauth': 'yes',
'pam': 'no',
- 'krb': 'no',
+ 'gssapi': 'no',
'ipa': 'no',
'server_debugging': 'True'}
'secure': 'no',
'testauth': 'yes',
'pam': 'no',
- 'krb': 'no',
+ 'gssapi': 'no',
'ipa': 'no',
'server_debugging': 'True'}
'secure': 'no',
'testauth': 'yes',
'pam': 'no',
- 'krb': 'no',
+ 'gssapi': 'no',
'ipa': 'no',
'server_debugging': 'True'}
'secure': 'no',
'testauth': 'yes',
'pam': 'no',
- 'krb': 'no',
+ 'gssapi': 'no',
'ipa': 'no',
'server_debugging': 'True'}
projects / cascardo / ipsilon.git / commitdiff