[Freeipa-devel] [PATCH] make testing easier
Rob Crittenden
rcritten at redhat.com
Thu Sep 27 15:22:56 UTC 2007
Karl MacMillan wrote:
> On Thu, 2007-09-27 at 10:06 -0400, Rob Crittenden wrote:
>> Karl MacMillan wrote:
>>> On Tue, 2007-09-25 at 09:12 -0400, Rob Crittenden wrote:
>>>> Simo is having problems with his Apache server seemingly not doing
>>>> ticket forwarding but only for mod_python. In trying to help him
>>>> diagnose this it became very apparent that even this low-level testing
>>>> was difficult to setup.
>>>>
>>>> I've redone ipa.conf to not require Kerberos for the / but instead just
>>>> target it for the things we use (plus /cgi-bin for good measure).
>>>>
>>> Is this the right approach or should we have specific urls for testing /
>>> error. I don't think I understand the changes well enough to assess the
>>> risks.
>> I don't understand. Isn't /ipatest a specific url for testing? I was
>> thinking this would be disabled by default.
>>
>> We need a specific url for errors because it needs to be unauthenticated
>> (so the user has a place to go on the same machine if their auth fails).
>>
>
> That was my understanding from the patch, but you mentioned that / would
> not be authenticated and that posed some risk. I was trying to
> understand that portion of your comments.
>
> Karl
>
Oh. The risk is if someone decides to put some other content on the web
server it won't be automatically protected by kerberos.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20070927/8252aeef/attachment.bin>
More information about the Freeipa-devel
mailing list