[Freeipa-users] Deploying freeipa behind nginx

Mon Feb 3 19:10:32 UTC 2014

On Mon, 03 Feb 2014, Steve Severance wrote:
>Yes it works if I specify the -s as ldap.mycorp.com. So we have progress!
>It now appears to authenticate fine when it posts the session but I have a
>new error.
>
>I get an Ipa Error 911 "Missing HTTP referer. <br/> You have to configure
>your browser to send HTTP referer header." I assume this is because the
>external name doesn't match the internal name. Is there a way to modify
>this somewhere?
You can read https://bugzilla.redhat.com/show_bug.cgi?id=747710 for
details and https://rhn.redhat.com/errata/RHSA-2011-1533.html is the
security errata addressing it.

We are deliberately closing cross-site forgery by enforcing
HTTP referrer checks.

Your nginx proxy would be a middle man which we are attempting to
protect against.

Recent discussions on how to allow your use case but still keep the
security tight can be seen here:
http://comments.gmane.org/gmane.linux.redhat.freeipa.user/8920 (latter
part of the thread). Discussion stalled since then.

>
>Thanks.
>
>Steve
>
>
>On Mon, Feb 3, 2014 at 4:40 AM, Sumit Bose <sbose at redhat.com> wrote:
>
>> On Fri, Jan 31, 2014 at 01:50:58PM -0800, Steve Severance wrote:
>> > Hi Sumit, That does indeed work. What does that tell us?
>>
>> I'm sorry, but it only tells that in general GSSAPI/Kerberos is working.
>> I think it does not help much with your original issue. About
>> ipa-getkeytab, does it work if you specify the server with the
>> -s/--server option?
>>
>>
>> bye,
>> Sumit
>>
>> >
>> > Steve
>> >
>> >
>> > On Wed, Jan 29, 2014 at 12:11 AM, Sumit Bose <sbose at redhat.com> wrote:
>> >
>> > > On Tue, Jan 28, 2014 at 02:29:07PM -0800, Steve Severance wrote:
>> > > > Hi Everyone,
>> > > >
>> > > > I have deployed freeipa inside our production network. I want to be
>> able
>> > > to
>> > > > access the web ui so I am attempting to add it to our nginx edge
>> > > machine. I
>> > > > can pass the requests upstream just fine but I am unable to login
>> using a
>> > > > username/password. I have enabled password authentication in the
>> kerberos
>> > > > section of the freeipa httpd config file. In the logs it looks like
>> the
>> > > > authentication succeeds and a ticket is issued. I assume that the
>> cookie
>> > > > that is returned (ipa_session) has the authentication information in
>> it.
>> > > > The subsequent call to get json data fails and I am prompted to login
>> > > again.
>> > > >
>> > > > I found this thread (
>> > > >
>> https://www.redhat.com/archives/freeipa-users/2013-August/msg00080.html)
>> > > > which has instructions on adding ipa.mydomain.com to the keytab.
>> When I
>> > > > call ipa-getkeytab it hangs for a bit before returning:
>> > > ldap_sasl_bind(SIMPLE):
>> > > > Can't contact LDAP server (-1)
>> > > >
>> > > > Digging into this if I run: ldapsearch -d 1 -v -H ldaps://
>> > > ldap.mydomain.com
>> > > >
>> > > > I get:
>> > > > ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
>> > > >         additional info: SASL(-4): no mechanism available:
>> > >
>> > > Does it work if you add the mechanism explicitly, e.g. 'ldapsearch -Y
>> > > GSSAPI ....' ?
>> > >
>> > > bye,
>> > > Sumit
>> > >
>> > > >
>> > > > So we seem to have a SASL problem. If I run ldapsearch with -x simple
>> > > > authentication works just fine.
>> > > >
>> > > > Do I need to do something special to enable SASL so I can get the
>> keytab?
>> > > > The ipa-getkeytab command does not seem to have an option to use
>> simple
>> > > > authentication.
>> > > >
>> > > > Thanks.
>> > > >
>> > > > Steve
>> > >
>> > > > _______________________________________________
>> > > > Freeipa-users mailing list
>> > > > Freeipa-users at redhat.com
>> > > > https://www.redhat.com/mailman/listinfo/freeipa-users
>> > >
>>
>
>
>
>-- 
>Steve Severance
>Director of Engineering
>Altos Research
>
>e. steve at altosresearch.com
>m. (240) 472 - 9645

>_______________________________________________
>Freeipa-users mailing list
>Freeipa-users at redhat.com
>https://www.redhat.com/mailman/listinfo/freeipa-users

-- 
/ Alexander Bokovoy