[Freeipa-devel] [PATCH] make testing easier
Simo Sorce
ssorce at redhat.com
Thu Sep 27 15:59:53 UTC 2007
On Thu, 2007-09-27 at 11:22 -0400, Rob Crittenden wrote:
> Karl MacMillan wrote:
> > On Thu, 2007-09-27 at 10:06 -0400, Rob Crittenden wrote:
> >> Karl MacMillan wrote:
> >>> On Tue, 2007-09-25 at 09:12 -0400, Rob Crittenden wrote:
> >>>> Simo is having problems with his Apache server seemingly not doing
> >>>> ticket forwarding but only for mod_python. In trying to help him
> >>>> diagnose this it became very apparent that even this low-level testing
> >>>> was difficult to setup.
> >>>>
> >>>> I've redone ipa.conf to not require Kerberos for the / but instead just
> >>>> target it for the things we use (plus /cgi-bin for good measure).
> >>>>
> >>> Is this the right approach or should we have specific urls for testing /
> >>> error. I don't think I understand the changes well enough to assess the
> >>> risks.
> >> I don't understand. Isn't /ipatest a specific url for testing? I was
> >> thinking this would be disabled by default.
> >>
> >> We need a specific url for errors because it needs to be unauthenticated
> >> (so the user has a place to go on the same machine if their auth fails).
> >>
> >
> > That was my understanding from the patch, but you mentioned that / would
> > not be authenticated and that posed some risk. I was trying to
> > understand that portion of your comments.
> >
> > Karl
> >
>
> Oh. The risk is if someone decides to put some other content on the web
> server it won't be automatically protected by kerberos.
Uhmm I say it is a low level risk, as by default admins are used to know
that content is anonymous.
Anyways, is it possible to server a page under / as anonymous while / is
not?
Maybe using a rewrite rule ?
Simo.
More information about the Freeipa-devel
mailing list