[Freeipa-devel] [PATCH] make testing easier
Karl MacMillan
kmacmill at redhat.com
Thu Sep 27 13:44:13 UTC 2007
On Tue, 2007-09-25 at 09:12 -0400, Rob Crittenden wrote:
> Simo is having problems with his Apache server seemingly not doing
> ticket forwarding but only for mod_python. In trying to help him
> diagnose this it became very apparent that even this low-level testing
> was difficult to setup.
>
> I've redone ipa.conf to not require Kerberos for the / but instead just
> target it for the things we use (plus /cgi-bin for good measure).
>
Is this the right approach or should we have specific urls for testing /
error. I don't think I understand the changes well enough to assess the
risks.
> I've added a new uri, /ipatest, that is shipped commented out but can be
> used for this and any future basic testing needs.
>
> I also include a simple CGI and a simple mod_python script that uses
> python-ldap to do a GSSAPI LDAP connection similar to what we do in IPA.
>
> Please consider this carefully. I'm a little nervous about the ipa.conf
> changes but they were necessary because for some reason curl choked when
> I had <Location /> protected by Kerberos (either a bug in Apache or curl
> or both, but regardless testing was impossibe).
>
> The only risk is that we (or someone) adds a new URI to do work and it
> ends up not being protected by Kerberos. A small risk but a real one.
>
I went ahead and pushed this patch and the related fixes.
Karl
More information about the Freeipa-devel
mailing list