[Freeipa-devel] [PATCH] 882 always require SSL in Kerberos block
Rob Crittenden
rcritten at redhat.com
Mon Sep 26 03:05:04 UTC 2011
Martin Kosek wrote:
> On Fri, 2011-09-23 at 14:12 -0400, Rob Crittenden wrote:
>> Always require SSL in the Kerberos authorization block.
>>
>> This also corrects a slight bug where if add is True then we always
>> re-update the file.
>>
>> rob
>
> ACK. Pushed to master, ipa-2-1.
>
> Martin
>
Sorry guys, this breaks things pretty badly. We need to be able to allow
some non-SSL access to parts of /ipa to fetch configuration and return
errors, etc. for those clients that don't trust our CA yet.
Here is a working change, not fully tested yet:
diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf
index 2339387..09b4b7a 100644
--- a/install/conf/ipa.conf
+++ b/install/conf/ipa.conf
@@ -42,10 +42,17 @@ WSGIScriptReloading Off
SetHandler None
</Location>
+# Ensure SSL is enabled in our APIs
+<Location "/ipa/xml">
+ NSSRequireSSL
+</Location>
+<Location "/ipa/json">
+ NSSRequireSSL
+</Location>
+
# Protect /ipa with Kerberos
<Location "/ipa">
- NSSRequireSSL
AuthType Kerberos
AuthName "Kerberos Login"
KrbMethodNegotiate on
@@ -114,6 +121,7 @@ Alias /ipa/ui "/usr/share/ipa/ui"
# migration related pages
Alias /ipa/migration "/usr/share/ipa/migration"
<Directory "/usr/share/ipa/migration">
+ NSSRequireSSL
AllowOverride None
Satisfy Any
Allow from all
More information about the Freeipa-devel
mailing list