[Freeipa-devel] Adding Debian support to the FreeIPA code

Krzysztof Klimonda kklimonda at syntaxhighlighted.com
Tue Feb 28 19:56:32 UTC 2012 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/28/2012 07:09 PM, Simo Sorce wrote:
[snip]
> 
> Krzysztof, would you mind identifying the main differences/issues
> in httpinstance so we can have a better idea of what needs rework
> and maybe identify if there is anything we can change that would
> make it easier ?
> 
> Simo.
> 

Okay, Apache 2 in Debian includes a bunch of other directories where the
configuration is split, based on its usage. Below is the list of
Includes (in the order they are added to apache2.conf) with short
comments.

Include mods-enabled/*.load
Include mods-enabled/*.conf

those two lines enable various apache mods like mod_nss or mod_rewrite.
LoadModule directive goes to *.load and module-specific configuration
goes to *.conf.

Packages ship files in /etc/apache2/mods-available/ and they are enabled
by using a small perl script called a2enmod (which creates a symlink,
but also handles dependencies between modules and some substitutions,
like enabling mod_cgid instead of mod_cgi when needed).

Include httpd.conf

this one contains user configuration, and by default is empty

Include ports.conf

what ports should Apache listen on (by default it's listening on port
80, and 443 if mod_ssl or mod_gnutls is enabled)

Include conf.d/

This seems to be the closest to /etc/httpd/conf.d/ from Fedora in sense
that other packages drop their configuration there.

Include sites-enabled/

All VirtualHost configurations should go here.

The same as with mods-enabled/ this directory contains symlinks to
/etc/apache2/sites-available, and is being managed with
a2ensite/a2dissite scripts


First there is an issue of NSS_CONF. That seems to be the biggest
difference. As mentioned above, in Debian we put module configuration
in apache2/mods-available, but virtual hosts go to
apache2/sites-available/. Currently libapache2-mod-nss doesn't ship
with VirtualHost enabled but when it does it'll most likely follow
this rule.

That means that some methods (for example __set_mod_nss_nickname)
would try editing the wrong configuration file.

Other changes are much smaller:
 - __create_http_keytab -- there is no /etc/httpd/conf, some people use
/etc/apache2/keytab/ but I don't think there is a standard place to put
keytabs in, perhaps in /etc/apache2/ itself?
 - __configure_http -- it's possible (and highly probable) that just
putting those files (ipa.conf, ipa-rewrite.conf) in /etc/apache2/conf.d/
should be enough
 - SSL_CONF is not used, instead we should call a2dismod ssl in
   __disable_mod_ssl
 - __setup_ssl -- looks fine although the NSSCertificateDatabase path
is weird in Debian (but that shouldn't be a problem)
 - __setup_autoconfig modifies files in /usr/share/ and that seems to be
non-compliant with FHS. It may slip through checks at first but I'd
expect people reporting bugs at some point.


and that's it? Hmm.. When I was starting to write it down I was
expecting much more problems, it seems rather simple..
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBAgAGBQJPTTFwAAoJELaVbcDVdH/PcdcP+gKn+DmIt5c9Q64Z5koykcVr
u9NW9WCAFhamW+ZnzGTlu3GYu84wjhed9d2N6kNq46zs09G9z0eKDXuRMRHv5Idh
bQI7ZT0VHCMLL+h3A5+y+8ert6sMcdtcAbmJ+sgcFBkjs2u2QGDFSwVtr5Ozvko/
sBcYirW657gAiMLcQF+8pQ9iXSO750QG8Bk1BJyCUjqu3lAZI98HEpCWZ1+d6YIS
LoB5qmX+9CyXkAttUgmypVTHs7pVG7vkcVWe+cp24kd9e2pucSSJNW6IqlSqmnng
2WVyyryquOsK5rL9dLk9KK2XENiMi6D22MIJath0mdiO63tQ+UXKlpB7tlRANmzY
uZqX7oiiZ67RZPfvhFhFLWllnfekMR+pD/rGW8dwwnL6LFKOsEt0Miegv8vZyTdl
N4kxQKvm9ZSZBQI4FS8tWWcSIuIMQWOTI2gHFKQaZ7WWMQ/vnuXi2pLGRfPWH2vW
bSYL3mz7hHVLTNtOgTA0rSdCHDOLSNQxuyv76WKMaH1XFGyi48j7ZD9WXm6E0Ku1
bcF9G/H49Kxt8BtHdTJXWWQICy3jxcUKxvdVDcc8HreZavWtic6F8uF5uxAjslSR
MPJVCeKjiPRJKAch3ZPWtvyHw1jKUNo8KdJ1Q+e/2AlsTXYF9XNXI/6D2tbWxd3P
xmmuo3wkOoQrJOiD0RxG
=VAR+
-----END PGP SIGNATURE-----

More information about the Freeipa-devel mailing list