[Freeipa-devel] [PATCH 7 of 7] Re-work httpd configuration a little

Mark McLoughlin markmc at redhat.com
Wed Jan 23 16:01:11 UTC 2008 

# HG changeset patch
# User Mark McLoughlin <markmc at redhat.com>
# Date 1201102497 0
# Node ID 4d18560f8e46a650764ba5d49472241fac36c31a
# Parent  72921ec04550af04a518218bac5440f4e1e6da96
Re-work httpd configuration a little

IPA's httpd configuration contains 10 lines of kerberos
authentication configuration repeated several times.
This patch pulls those 10 lines into a separate file
which is then included from the main file.

Apart from purely removing duplication, this allows
you to e.g. set up httpd without kerberos auth by
writing an empty httpd-auth.conf file. Or, in other
words, it makes the main httpd configuration know
nothing about kerberos.

Signed-off-by: Mark McLoughlin <markmc at redhat.com>

diff -r 72921ec04550 -r 4d18560f8e46 ipa-server/ipaserver/httpinstance.py
--- a/ipa-server/ipaserver/httpinstance.py	Wed Jan 23 15:34:55 2008 +0000
+++ b/ipa-server/ipaserver/httpinstance.py	Wed Jan 23 15:34:57 2008 +0000
@@ -114,15 +114,23 @@ class HTTPInstance(service.Service):
         pent = pwd.getpwnam("apache")
         os.chown("/etc/httpd/conf/ipa.keytab", pent.pw_uid, pent.pw_gid)
 
+    def __configure_http_auth(self, txt):
+        sysrestore.backup_file("/etc/httpd/conf/httpd-auth.conf")
+        auth_fd = open("/etc/httpd/conf/httpd-auth.conf", "w")
+        auth_fd.write(txt)
+        auth_fd.close()
+
     def __configure_http(self):
         http_txt = ipautil.template_file(ipautil.SHARE_DIR + "ipa.conf",
-                                         FQDN = self.fqdn,
-                                         REALM = self.realm)
+                                         FQDN = self.fqdn)
         sysrestore.backup_file("/etc/httpd/conf.d/ipa.conf")
         http_fd = open("/etc/httpd/conf.d/ipa.conf", "w")
         http_fd.write(http_txt)
-        http_fd.close()                
-
+        http_fd.close()
+        
+        auth_txt = ipautil.template_file(ipautil.SHARE_DIR + "httpd-auth-krb.conf",
+                                         REALM = self.realm)
+        self.__configure_http_auth(auth_txt)
 
     def __disable_mod_ssl(self):
         if os.path.exists(SSL_CONF):
@@ -175,7 +183,9 @@ class HTTPInstance(service.Service):
         if not enabled is None and not enabled:
             self.chkconfig_off()
 
-        for f in ["/etc/httpd/conf.d/ipa.conf", SSL_CONF, NSS_CONF]:
+        for f in ["/etc/httpd/conf.d/ipa.conf",
+                  "/etc/httpd/conf/httpd-auth.conf",
+                  SSL_CONF, NSS_CONF]:
             sysrestore.restore_file(f)
 
         sebool_state = self.restore_state("httpd_can_network_connect")
diff -r 72921ec04550 -r 4d18560f8e46 ipa-server/xmlrpc-server/Makefile.am
--- a/ipa-server/xmlrpc-server/Makefile.am	Wed Jan 23 15:34:55 2008 +0000
+++ b/ipa-server/xmlrpc-server/Makefile.am	Wed Jan 23 15:34:57 2008 +0000
@@ -24,6 +24,7 @@ appdir = $(IPA_DATA_DIR)
 appdir = $(IPA_DATA_DIR)
 app_DATA =			\
 	ipa.conf		\
+	httpd-auth-krb.conf	\
 	$(NULL)
 
 EXTRA_DIST =			\
diff -r 72921ec04550 -r 4d18560f8e46 ipa-server/xmlrpc-server/httpd-auth-krb.conf
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/ipa-server/xmlrpc-server/httpd-auth-krb.conf	Wed Jan 23 15:34:57 2008 +0000
@@ -0,0 +1,10 @@
+AuthType Kerberos
+AuthName "Kerberos Login"
+KrbMethodNegotiate on
+KrbMethodK5Passwd off
+KrbServiceName HTTP
+KrbAuthRealms $REALM
+Krb5KeyTab /etc/httpd/conf/ipa.keytab
+KrbSaveCredentials on
+Require valid-user
+ErrorDocument 401 /errors/unauthorized.html
diff -r 72921ec04550 -r 4d18560f8e46 ipa-server/xmlrpc-server/ipa.conf
--- a/ipa-server/xmlrpc-server/ipa.conf	Wed Jan 23 15:34:55 2008 +0000
+++ b/ipa-server/xmlrpc-server/ipa.conf	Wed Jan 23 15:34:57 2008 +0000
@@ -19,16 +19,8 @@ AddType application/java-archive        
 AddType application/java-archive        jar
 
 <Proxy *>
-  AuthType Kerberos
-  AuthName "Kerberos Login"
-  KrbMethodNegotiate on
-  KrbMethodK5Passwd off
-  KrbServiceName HTTP
-  KrbAuthRealms $REALM
-  Krb5KeyTab /etc/httpd/conf/ipa.keytab
-  KrbSaveCredentials on
-  Require valid-user
-  ErrorDocument 401 /errors/unauthorized.html
+  Include conf/httpd-auth.conf
+
   RewriteEngine on
   Order deny,allow
   Allow from all
@@ -64,16 +56,7 @@ Alias /config "/usr/share/ipa/html"
 Alias /config "/usr/share/ipa/html"
 
 <Directory "/usr/share/ipa/ipaserver">
-  AuthType Kerberos
-  AuthName "Kerberos Login"
-  KrbMethodNegotiate on
-  KrbMethodK5Passwd off
-  KrbServiceName HTTP
-  KrbAuthRealms $REALM
-  Krb5KeyTab /etc/httpd/conf/ipa.keytab
-  KrbSaveCredentials on
-  Require valid-user
-  ErrorDocument 401 /errors/unauthorized.html
+  Include conf/httpd-auth.conf
 
   SetHandler mod_python
   PythonHandler ipaxmlrpc
@@ -95,31 +78,13 @@ Alias /config "/usr/share/ipa/html"
 
 # Protect our CGIs
 <Directory /var/www/cgi-bin>
-  AuthType Kerberos
-  AuthName "Kerberos Login"
-  KrbMethodNegotiate on
-  KrbMethodK5Passwd off
-  KrbServiceName HTTP
-  KrbAuthRealms $REALM
-  Krb5KeyTab /etc/httpd/conf/ipa.keytab
-  KrbSaveCredentials on
-  Require valid-user
-  ErrorDocument 401 /errors/unauthorized.html
+  Include conf/httpd-auth.conf
 </Directory>
 
 #Alias /ipatest "/usr/share/ipa/ipatest"
 
 #<Directory "/usr/share/ipa/ipatest">
-#  AuthType Kerberos
-#  AuthName "Kerberos Login"
-#  KrbMethodNegotiate on
-#  KrbMethodK5Passwd off
-#  KrbServiceName HTTP
-#  KrbAuthRealms $REALM
-#  Krb5KeyTab /etc/httpd/conf/ipa.keytab
-#  KrbSaveCredentials on
-#  Require valid-user
-#  ErrorDocument 401 /errors/unauthorized.html
+#  Include conf/httpd-auth.conf
 #
 #  SetHandler mod_python
 #  PythonHandler test_mod_python

More information about the Freeipa-devel mailing list