Change configuration on new installs only.
Enable GssapiLocalName so we have access to the local name in
REMOTE_USER and the full principle in GSS_NAME.
Enable GssapiSSLonly even though SSLRequireSSL is also set.
The belt and suspenders principla.
https://fedorahosted.org/ipsilon/ticket/89
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
- An unprivileged user to run the Ipsilon code (defaults to 'ipsilon')
Currently there are only two available authentication modules, Kerberos and
- An unprivileged user to run the Ipsilon code (defaults to 'ipsilon')
Currently there are only two available authentication modules, Kerberos and
-PAM. The Kerberos module uses mod_auth_kerb (which it will configure for you at
-install time), the Pam module simply uses the PAM stack with a default service
+PAM. The Kerberos module uses mod_auth_gssapi (which it will configure for
+you at install time), the Pam module simply uses the PAM stack with a default service
name set to 'remote'.
NOTE: The PAM module is invoked as an unprivileged user so if you are using the
name set to 'remote'.
NOTE: The PAM module is invoked as an unprivileged user so if you are using the
-Summary: mod_auth_kerb based login plugin
+Summary: mod_auth_gssapi based login plugin
Group: System Environment/Base
License: GPLv3+
Requires: %{name} = %{version}-%{release}
Group: System Environment/Base
License: GPLv3+
Requires: %{name} = %{version}-%{release}
+Requires: mod_auth_gssapi
BuildArch: noarch
%description authkrb
BuildArch: noarch
%description authkrb
-Provides a login plugin to allow authentication via the mod_auth_kerb Apache
-module.
+Provides a login plugin to allow authentication via the mod_auth_gssapi
+Apache module.
-Summary: mod_auth_kerb based login plugin
+Summary: LDAP info and login plugin
Group: System Environment/Base
License: GPLv3+
Requires: %{name} = %{version}-%{release}
Group: System Environment/Base
License: GPLv3+
Requires: %{name} = %{version}-%{release}
Ipsilon is mostly a web service builtin in python on the cherrypy framework.
It is normally installed and run in an apache server and some plugins depend
Ipsilon is mostly a web service builtin in python on the cherrypy framework.
It is normally installed and run in an apache server and some plugins depend
-on authentication modules available in apache like mod_auth_kerb.
+on authentication modules available in apache like mod_auth_gssapi.
Each authentication method is chained to the next in line so that automatic
fallback can happen and multiple authentication methods can be employed at
Each authentication method is chained to the next in line so that automatic
fallback can happen and multiple authentication methods can be employed at
def root(self, *args, **kwargs):
cherrypy.log.error('REQUEST: %s' % cherrypy.request.headers)
def root(self, *args, **kwargs):
cherrypy.log.error('REQUEST: %s' % cherrypy.request.headers)
- # If we have no negotiate header return whatever mod_auth_kerb
+ # If we have no negotiate header return whatever mod_auth_gssapi
# generated and wait for the next request
if 'WWW-Authenticate' not in cherrypy.request.headers:
# generated and wait for the next request
if 'WWW-Authenticate' not in cherrypy.request.headers:
self.path = 'krb/negotiate'
self.page = None
self.description = """
self.path = 'krb/negotiate'
self.page = None
self.description = """
-Kereros Negotiate authentication plugin. Relies on the mod_auth_kerb apache
-plugin for actual authentication. """
+Kerberos Negotiate authentication plugin. Relies on the mod_auth_gssapi
+apache plugin for actual authentication. """
self.new_config(self.name)
def get_tree(self, site):
self.new_config(self.name)
def get_tree(self, site):
CONF_TEMPLATE = """
<Location /${instance}/login/krb/negotiate>
CONF_TEMPLATE = """
<Location /${instance}/login/krb/negotiate>
- AuthType Kerberos
- AuthName "Kerberos Login"
- KrbMethodNegotiate on
- KrbMethodK5Passwd off
- KrbServiceName HTTP
- $realms
+ AuthType GSSAPI
+ AuthName "GSSAPI Single Sign On Login"
- KrbSaveCredentials off
- KrbConstrainedDelegation off
- # KrbLocalUserMapping On
+ GssapiSSLonly $gssapisslonly
+ GssapiLocalName on
Require valid-user
ErrorDocument 401 /${instance}/login/krb/unauthorized
Require valid-user
ErrorDocument 401 /${instance}/login/krb/unauthorized
def install_args(self, group):
group.add_argument('--krb', choices=['yes', 'no'], default='no',
help='Configure Kerberos authentication')
def install_args(self, group):
group.add_argument('--krb', choices=['yes', 'no'], default='no',
help='Configure Kerberos authentication')
- group.add_argument('--krb-realms',
- help='Allowed Kerberos Auth Realms')
group.add_argument('--krb-httpd-keytab',
default='/etc/httpd/conf/http.keytab',
help='Kerberos keytab location for HTTPD')
group.add_argument('--krb-httpd-keytab',
default='/etc/httpd/conf/http.keytab',
help='Kerberos keytab location for HTTPD')
confopts = {'instance': opts['instance']}
if os.path.exists(opts['krb_httpd_keytab']):
confopts = {'instance': opts['instance']}
if os.path.exists(opts['krb_httpd_keytab']):
- confopts['keytab'] = ' Krb5KeyTab %s' % opts['krb_httpd_keytab']
+ confopts['keytab'] = 'GssapiCredStore keytab:%s' % (
+ opts['krb_httpd_keytab'])
else:
raise Exception('Keytab not found')
else:
raise Exception('Keytab not found')
- if opts['krb_realms'] is None:
- confopts['realms'] = ' # KrbAuthRealms - Any realm is allowed'
+ if opts['secure'] == 'no':
+ confopts['gssapisslonly'] = 'Off'
- confopts['realms'] = ' KrbAuthRealms %s' % opts['krb_realms']
+ confopts['gssapisslonly'] = 'On'
tmpl = Template(CONF_TEMPLATE)
hunk = tmpl.substitute(**confopts) # pylint: disable=star-args
tmpl = Template(CONF_TEMPLATE)
hunk = tmpl.substitute(**confopts) # pylint: disable=star-args