From: Rob Crittenden Date: Tue, 28 Apr 2015 19:16:54 +0000 (-0400) Subject: Change references to authkrb plugin to authgssapi X-Git-Tag: v1.0.0~34 X-Git-Url: http://git.cascardo.info/?p=cascardo%2Fipsilon.git;a=commitdiff_plain;h=68b9e1d3138784c3793f0a04c411f14168748692 Change references to authkrb plugin to authgssapi With the switch to mod_auth_gssapi we aren't limited to only negotiated Kerberos so name the plugin to reflect this. https://fedorahosted.org/ipsilon/ticket/114 Signed-off-by: Rob Crittenden --- diff --git a/README b/README index 8b4f291..9bde0cc 100644 --- a/README +++ b/README @@ -28,7 +28,7 @@ Prerequisites: - A keytab if Kerberos authentication is desired - An unprivileged user to run the Ipsilon code (defaults to 'ipsilon') -Currently there are only two available authentication modules, Kerberos and +Currently there are only two available authentication modules, GSSAPI and PAM. The Kerberos module uses mod_auth_gssapi (which it will configure for you at install time), the Pam module simply uses the PAM stack with a default service name set to 'remote'. @@ -39,7 +39,7 @@ not work properly. Please use a different PAM module, like pam_sss, pam_ldap, etc.. Before you run the install script make sure to create an administrative user -that can be authenticated either via PAM or Kerberos. The default name the +that can be authenticated either via PAM or GSSAPI. The default name the installation script expects is 'admin' but that can be changed with the command line option named --admin-user @@ -50,9 +50,10 @@ name is referenced and resolved by remote clients. Other options are available by running ipsilon-server-install --help -To install a server that allow both Kerberos and PAM authentication use: +To install a server that allow both GSSAPI (Kerberos) and PAM authentication +use: - $ ipsilon-server-install --krb=yes --pam=yes + $ ipsilon-server-install --gssapi=yes --pam=yes This command will generate a default instance called 'idp' (you can change the default name using the --instance switch). Multiple instance can be installed diff --git a/contrib/fedora/ipsilon.spec b/contrib/fedora/ipsilon.spec index 335c61b..1127944 100644 --- a/contrib/fedora/ipsilon.spec +++ b/contrib/fedora/ipsilon.spec @@ -78,7 +78,7 @@ Client install tools summary: IPA helpers Group: System Environment/Base License: GPLv3+ -Requires: %{name}-authkrb = %{version}-%{release} +Requires: %{name}-authgssapi = %{version}-%{release} Requires: %{name}-authform = %{version}-%{release} %if 0%{?rhel} Requires: ipa-client @@ -182,7 +182,7 @@ BuildArch: noarch Provides a login plugin to authenticate against the local PAM stack -%package authkrb +%package authgssapi Summary: mod_auth_gssapi based login plugin Group: System Environment/Base License: GPLv3+ @@ -190,7 +190,7 @@ Requires: %{name} = %{version}-%{release} Requires: mod_auth_gssapi BuildArch: noarch -%description authkrb +%description authgssapi Provides a login plugin to allow authentication via the mod_auth_gssapi Apache module. @@ -352,9 +352,9 @@ fi %files authpam %{python2_sitelib}/ipsilon/login/authpam* -%files authkrb -%{python2_sitelib}/ipsilon/login/authkrb* -%{_datadir}/ipsilon/templates/login/krb.html +%files authgssapi +%{python2_sitelib}/ipsilon/login/authgssapi* +%{_datadir}/ipsilon/templates/login/gssapi.html %files authldap %{python2_sitelib}/ipsilon/login/authldap* diff --git a/examples/apache.conf b/examples/apache.conf index 19ebb0d..cacbf70 100644 --- a/examples/apache.conf +++ b/examples/apache.conf @@ -3,20 +3,16 @@ WSGIScriptAlias /idp /usr/libexec/ipsilon.py WSGIDaemonProcess idp maximum-requests=2 user=ipsilon group=ipsilon WSGIProcessGroup idp - - AuthType Kerberos - AuthName "Kerberos Login" - KrbMethodNegotiate on - KrbMethodK5Passwd off - KrbServiceName HTTP - KrbAuthRealms IPA.DEV.LAN - Krb5KeyTab /etc/httpd/conf/http.keytab - KrbSaveCredentials off - KrbConstrainedDelegation off - KrbLocalUserMapping On + + AuthType GSSAPI + AuthName "GSSAPI Single Sign On Login" + GssapiCredStore /etc/httpd/conf/http.keytab + GssapiSSLonly On + GssapiLocalName on Require valid-user - ErrorDocument 401 /idp/login/krb/unauthorized + ErrorDocument 401 /idp/login/gssapi/unauthorized + ErrorDocument 500 /idp/login/gssapi/failed diff --git a/ipsilon/helpers/ipa.py b/ipsilon/helpers/ipa.py index 2caddb3..5c01faa 100644 --- a/ipsilon/helpers/ipa.py +++ b/ipsilon/helpers/ipa.py @@ -93,10 +93,10 @@ class Installer(EnvHelpersInstaller): raise Exception('No IPA tools found!') # Check if we already have a keytab for HTTP - if 'krb_httpd_keytab' in opts: - msg = "Searching for keytab in: %s" % opts['krb_httpd_keytab'] + if 'gssapi_httpd_keytab' in opts: + msg = "Searching for keytab in: %s" % opts['gssapi_httpd_keytab'] print >> sys.stdout, msg, - if os.path.exists(opts['krb_httpd_keytab']): + if os.path.exists(opts['gssapi_httpd_keytab']): print >> sys.stdout, "... Found!" return else: @@ -105,7 +105,7 @@ class Installer(EnvHelpersInstaller): msg = "Searching for keytab in: %s" % HTTPD_IPA_KEYTAB print >> sys.stdout, msg, if os.path.exists(HTTPD_IPA_KEYTAB): - opts['krb_httpd_keytab'] = HTTPD_IPA_KEYTAB + opts['gssapi_httpd_keytab'] = HTTPD_IPA_KEYTAB print >> sys.stdout, "... Found!" return else: @@ -167,11 +167,11 @@ class Installer(EnvHelpersInstaller): try: msg = "Trying to fetch keytab[%s] for %s" % ( - opts['krb_httpd_keytab'], princ) + opts['gssapi_httpd_keytab'], princ) print >> sys.stdout, msg, subprocess.check_output([IPA_GETKEYTAB, '-s', server, '-p', princ, - '-k', opts['krb_httpd_keytab']], + '-k', opts['gssapi_httpd_keytab']], stderr=subprocess.STDOUT) except subprocess.CalledProcessError, e: # unfortunately this one is fatal @@ -182,12 +182,12 @@ class Installer(EnvHelpersInstaller): # Fixup permissions so only the ipsilon user can read these files pw = pwd.getpwnam(HTTPD_USER) - os.chown(opts['krb_httpd_keytab'], pw.pw_uid, pw.pw_gid) + os.chown(opts['gssapi_httpd_keytab'], pw.pw_uid, pw.pw_gid) def configure_server(self, opts): if opts['ipa'] != 'yes' and opts['ipa'] != 'auto': return - if opts['ipa'] != 'yes' and opts['krb'] == 'no': + if opts['ipa'] != 'yes' and opts['gssapi'] == 'no': return self.logger = logging.getLogger() @@ -196,12 +196,12 @@ class Installer(EnvHelpersInstaller): self.get_keytab(opts) - # Forcibly use krb then pam modules + # Forcibly use gssapi then pam modules if 'lm_order' not in opts: opts['lm_order'] = [] - opts['krb'] = 'yes' - if 'krb' not in opts['lm_order']: - opts['lm_order'].insert(0, 'krb') + opts['gssapi'] = 'yes' + if 'gssapi' not in opts['lm_order']: + opts['lm_order'].insert(0, 'gssapi') opts['form'] = 'yes' if not any(lm in opts['lm_order'] for lm in ('form', 'pam')): opts['lm_order'].append('form') diff --git a/ipsilon/login/authgssapi.py b/ipsilon/login/authgssapi.py index dbb531a..97c3834 100644 --- a/ipsilon/login/authgssapi.py +++ b/ipsilon/login/authgssapi.py @@ -24,7 +24,7 @@ import cherrypy import os -class Krb(LoginPageBase): +class GSSAPI(LoginPageBase): def root(self, *args, **kwargs): # Someone typed manually or a robot is walking th tree. @@ -32,7 +32,7 @@ class Krb(LoginPageBase): return self.lm.redirect_to_path(self.lm.path) -class KrbAuth(LoginPageBase): +class GSSAPIAuth(LoginPageBase): def root(self, *args, **kwargs): trans = self.get_valid_transaction('login', **kwargs) @@ -44,16 +44,16 @@ class KrbAuth(LoginPageBase): if not self.user.is_anonymous: principal = cherrypy.request.wsgi_environ.get('GSS_NAME', None) if principal: - userdata = {'krb_principal_name': principal} + userdata = {'gssapi_principal_name': principal} else: - userdata = {'krb_principal_name': self.user.name} + userdata = {'gssapi_principal_name': self.user.name} return self.lm.auth_successful(trans, self.user.name, - 'krb', userdata) + 'gssapi', userdata) else: return self.lm.auth_failed(trans) -class KrbError(LoginPageBase): +class GSSAPIError(LoginPageBase): def root(self, *args, **kwargs): cherrypy.log.error('REQUEST: %s' % cherrypy.request.headers) @@ -68,8 +68,8 @@ class KrbError(LoginPageBase): return next_login.page.root(*args, **kwargs) conturl = '%s/login' % self.basepath - return self._template('login/krb.html', - title='Kerberos Login', + return self._template('login/gssapi.html', + title='GSSAPI Login', cont=conturl) # If we get here, negotiate failed @@ -81,25 +81,25 @@ class LoginManager(LoginManagerBase): def __init__(self, *args, **kwargs): super(LoginManager, self).__init__(*args, **kwargs) - self.name = 'krb' - self.path = 'krb/negotiate' + self.name = 'gssapi' + self.path = 'gssapi/negotiate' self.page = None self.description = """ -Kerberos Negotiate authentication plugin. Relies on the mod_auth_gssapi +GSSAPI Negotiate authentication plugin. Relies on the mod_auth_gssapi apache plugin for actual authentication. """ self.new_config(self.name) def get_tree(self, site): - self.page = Krb(site, self) - self.page.__dict__['negotiate'] = KrbAuth(site, self) - self.page.__dict__['unauthorized'] = KrbError(site, self) - self.page.__dict__['failed'] = KrbError(site, self) + self.page = GSSAPI(site, self) + self.page.__dict__['negotiate'] = GSSAPIAuth(site, self) + self.page.__dict__['unauthorized'] = GSSAPIError(site, self) + self.page.__dict__['failed'] = GSSAPIError(site, self) return self.page CONF_TEMPLATE = """ - + AuthType GSSAPI AuthName "GSSAPI Single Sign On Login" $keytab @@ -107,8 +107,8 @@ CONF_TEMPLATE = """ GssapiLocalName on Require valid-user - ErrorDocument 401 /${instance}/login/krb/unauthorized - ErrorDocument 500 /${instance}/login/krb/failed + ErrorDocument 401 /${instance}/login/gssapi/unauthorized + ErrorDocument 500 /${instance}/login/gssapi/failed """ @@ -117,25 +117,25 @@ class Installer(LoginManagerInstaller): def __init__(self, *pargs): super(Installer, self).__init__() - self.name = 'krb' + self.name = 'gssapi' self.pargs = pargs def install_args(self, group): - group.add_argument('--krb', choices=['yes', 'no'], default='no', - help='Configure Kerberos authentication') - group.add_argument('--krb-httpd-keytab', + group.add_argument('--gssapi', choices=['yes', 'no'], default='no', + help='Configure GSSAPI authentication') + group.add_argument('--gssapi-httpd-keytab', default='/etc/httpd/conf/http.keytab', help='Kerberos keytab location for HTTPD') def configure(self, opts): - if opts['krb'] != 'yes': + if opts['gssapi'] != 'yes': return confopts = {'instance': opts['instance']} - if os.path.exists(opts['krb_httpd_keytab']): + if os.path.exists(opts['gssapi_httpd_keytab']): confopts['keytab'] = 'GssapiCredStore keytab:%s' % ( - opts['krb_httpd_keytab']) + opts['gssapi_httpd_keytab']) else: raise Exception('Keytab not found') @@ -151,14 +151,14 @@ class Installer(LoginManagerInstaller): # Add configuration data to database po = PluginObject(*self.pargs) - po.name = 'krb' + po.name = 'gssapi' po.wipe_data() - # Update global config, put 'krb' always first + # Update global config, put 'gssapi' always first ph = self.pargs[0] ph.refresh_enabled() - if 'krb' not in ph.enabled: + if 'gssapi' not in ph.enabled: enabled = [] enabled.extend(ph.enabled) - enabled.insert(0, 'krb') + enabled.insert(0, 'gssapi') ph.save_enabled(enabled) diff --git a/ipsilon/providers/saml2/auth.py b/ipsilon/providers/saml2/auth.py index bdcb9b8..521e0c0 100644 --- a/ipsilon/providers/saml2/auth.py +++ b/ipsilon/providers/saml2/auth.py @@ -197,7 +197,7 @@ class AuthenticateRequest(ProviderPageBase): elif nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_TRANSIENT: nameid = '_' + uuid.uuid4().hex elif nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_KERBEROS: - nameid = us.get_data('user', 'krb_principal_name') + nameid = us.get_data('user', 'gssapi_principal_name') elif nameidfmt == lasso.SAML2_NAME_IDENTIFIER_FORMAT_EMAIL: nameid = us.get_user().email if not nameid: diff --git a/ipsilon/providers/saml2idp.py b/ipsilon/providers/saml2idp.py index cec3e88..a507c7e 100644 --- a/ipsilon/providers/saml2idp.py +++ b/ipsilon/providers/saml2idp.py @@ -433,7 +433,7 @@ class Installer(ProviderInstaller): validity = int(opts['saml2_metadata_validity']) meta = IdpMetadataGenerator(url, cert, timedelta(validity)) - if 'krb' in opts and opts['krb'] == 'yes': + if 'gssapi' in opts and opts['gssapi'] == 'yes': meta.meta.add_allowed_name_format( lasso.SAML2_NAME_IDENTIFIER_FORMAT_KERBEROS) diff --git a/tests/attrs.py b/tests/attrs.py index 4a3c8d8..b4d8a99 100755 --- a/tests/attrs.py +++ b/tests/attrs.py @@ -42,7 +42,7 @@ idp_a = {'hostname': '${ADDRESS}:${PORT}', 'secure': 'no', 'testauth': 'yes', 'pam': 'no', - 'krb': 'no', + 'gssapi': 'no', 'ipa': 'no', 'server_debugging': 'True'} diff --git a/tests/fconf.py b/tests/fconf.py index 409c975..79e7ed7 100755 --- a/tests/fconf.py +++ b/tests/fconf.py @@ -52,7 +52,7 @@ idp_a = {'hostname': '${ADDRESS}:${PORT}', 'secure': 'no', 'testauth': 'yes', 'pam': 'no', - 'krb': 'no', + 'gssapi': 'no', 'ipa': 'no', 'server_debugging': 'True'} diff --git a/tests/ldap.py b/tests/ldap.py index 52676d3..d144f89 100755 --- a/tests/ldap.py +++ b/tests/ldap.py @@ -25,7 +25,7 @@ idp_a = {'hostname': '${ADDRESS}:${PORT}', 'instance': '${NAME}', 'secure': 'no', 'pam': 'no', - 'krb': 'no', + 'gssapi': 'no', 'ipa': 'no', 'ldap': 'yes', 'ldap_server_url': 'ldap://${ADDRESS}:45389/', diff --git a/tests/openid.py b/tests/openid.py index ebc92ba..dfff299 100755 --- a/tests/openid.py +++ b/tests/openid.py @@ -44,7 +44,7 @@ idp_a = {'hostname': '${ADDRESS}:${PORT}', 'openid': 'yes', 'openid_extensions': 'Attribute Exchange,Simple Registration,Teams', 'pam': 'no', - 'krb': 'no', + 'gssapi': 'no', 'ipa': 'no', 'server_debugging': 'True'} diff --git a/tests/pgdb.py b/tests/pgdb.py index ae4b47c..984bcee 100755 --- a/tests/pgdb.py +++ b/tests/pgdb.py @@ -46,7 +46,7 @@ idp_a = {'hostname': '${ADDRESS}:${PORT}', 'secure': 'no', 'testauth': 'yes', 'pam': 'no', - 'krb': 'no', + 'gssapi': 'no', 'ipa': 'no', 'server_debugging': 'True'} diff --git a/tests/test1.py b/tests/test1.py index 3e0cfc2..d4716bc 100755 --- a/tests/test1.py +++ b/tests/test1.py @@ -41,7 +41,7 @@ idp_a = {'hostname': '${ADDRESS}:${PORT}', 'secure': 'no', 'testauth': 'yes', 'pam': 'no', - 'krb': 'no', + 'gssapi': 'no', 'ipa': 'no', 'server_debugging': 'True'} diff --git a/tests/testlogout.py b/tests/testlogout.py index 5018066..cdf4f0b 100755 --- a/tests/testlogout.py +++ b/tests/testlogout.py @@ -42,7 +42,7 @@ idp_a = {'hostname': '${ADDRESS}:${PORT}', 'secure': 'no', 'testauth': 'yes', 'pam': 'no', - 'krb': 'no', + 'gssapi': 'no', 'ipa': 'no', 'server_debugging': 'True'} diff --git a/tests/testmapping.py b/tests/testmapping.py index d5e5dd0..b2ee012 100755 --- a/tests/testmapping.py +++ b/tests/testmapping.py @@ -28,7 +28,7 @@ idp_a = {'hostname': '${ADDRESS}:${PORT}', 'secure': 'no', 'testauth': 'yes', 'pam': 'no', - 'krb': 'no', + 'gssapi': 'no', 'ipa': 'no', 'server_debugging': 'True'} diff --git a/tests/testnameid.py b/tests/testnameid.py index a47e44b..adc0c08 100755 --- a/tests/testnameid.py +++ b/tests/testnameid.py @@ -27,7 +27,7 @@ idp_a = {'hostname': '${ADDRESS}:${PORT}', 'secure': 'no', 'testauth': 'yes', 'pam': 'no', - 'krb': 'no', + 'gssapi': 'no', 'ipa': 'no', 'server_debugging': 'True'} diff --git a/tests/testrest.py b/tests/testrest.py index 24a7092..7f472b7 100755 --- a/tests/testrest.py +++ b/tests/testrest.py @@ -26,7 +26,7 @@ idp_a = {'hostname': '${ADDRESS}:${PORT}', 'secure': 'no', 'testauth': 'yes', 'pam': 'no', - 'krb': 'no', + 'gssapi': 'no', 'ipa': 'no', 'server_debugging': 'True'} diff --git a/tests/trans.py b/tests/trans.py index d7551b3..fbffa00 100755 --- a/tests/trans.py +++ b/tests/trans.py @@ -42,7 +42,7 @@ idp_a = {'hostname': '${ADDRESS}:${PORT}', 'secure': 'no', 'testauth': 'yes', 'pam': 'no', - 'krb': 'no', + 'gssapi': 'no', 'ipa': 'no', 'server_debugging': 'True'}