[Freeipa-users] Disable IPA Web UI auto-login
Petr Vobornik
pvoborni at redhat.com
Mon Feb 15 15:53:29 UTC 2016
Hello,
On 02/15/2016 02:12 PM, Wanderley Mayhé wrote:
>
>
> Hello Rob
>
>
>
> Regarding the thread
> https://www.redhat.com/archives/freeipa-users/2010-July/msg00022.html I
> have tested to set KrbMethodK5Passwd to “on” and restarted httpd but IPA
> Web UI was still trying to auto-login user through a browser dialog.
>
>
>
> In order to effectively disable this browser dialog, I had to edit
> /etc/httpd/conf.d/ipa.conf
>
> and add this line set KrbMethodNegotiate to off as follows (and restarted
> httpd):
>
>
>
>
>
> # Protect /ipa and everything below it in webspace with Apache Kerberos
> auth
>
> <Location "/ipa">
>
> AuthType Kerberos
>
> AuthName "Kerberos Login"
>
> ## KrbMethodNegotiate on
>
> KrbMethodNegotiate off
>
> KrbMethodK5Passwd off
>
> KrbServiceName HTTP
>
> KrbAuthRealms IBP.ORG.BR
>
> Krb5KeyTab /etc/httpd/conf/ipa.keytab
>
> KrbSaveCredentials on
>
> KrbConstrainedDelegation on
>
> Require valid-user
>
> ErrorDocument 401 /ipa/errors/unauthorized.html
>
> </Location>
>
>
>
> Am I correct to assume that that JSON API will not be affected by this
> change?
No
>
> Is there any major problems this setting could cause?
>
Yes, it would affect the API :)
Better option would be to modify Web UI with UI plugin to skip Kerberous
auth - harder to explain.
Or easier thing might be to modify ipa.conf in a way that
/ipa/session/login_kerberos would not return negotiate headers but would
fail immediately with 401.
--
Petr Vobornik
More information about the Freeipa-users
mailing list