From 355b6d416d800692f7028e057ff76aab9f8c0470 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Jun 05 2015 17:12:46 +0000
Subject: ipa-pki-proxy: allow certificate and password authentication


ipa-replica-install --setup-ca is failing because the security
domain login attempts password authentication, but the current
ipa-pki-proxy requires certificate authentication.

Set NSSVerifyClient optional to allow both certificate and password
authentication to work.

Reviewed-By: Martin Basti <mbasti@redhat.com>

---

diff --git a/install/conf/ipa-pki-proxy.conf b/install/conf/ipa-pki-proxy.conf
index 366ca15..354b340 100644
--- a/install/conf/ipa-pki-proxy.conf
+++ b/install/conf/ipa-pki-proxy.conf
@@ -1,4 +1,4 @@
-# VERSION 6 - DO NOT REMOVE THIS LINE
+# VERSION 7 - DO NOT REMOVE THIS LINE
 
 ProxyRequests Off
 
@@ -27,9 +27,16 @@ ProxyRequests Off
 </LocationMatch>
 
 # matches for REST API
-<LocationMatch "^/ca/rest/account/login|^/ca/rest/account/logout|^/ca/rest/profiles">
+<LocationMatch "^/ca/rest/account/login|^/ca/rest/account/logout">
     NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
-    NSSVerifyClient require
+    NSSVerifyClient optional
+    ProxyPassMatch ajp://localhost:$DOGTAG_PORT
+    ProxyPassReverse ajp://localhost:$DOGTAG_PORT
+</LocationMatch>
+
+<LocationMatch "^/ca/rest/profiles">
+    NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
+    NSSVerifyClient none
     ProxyPassMatch ajp://localhost:$DOGTAG_PORT
     ProxyPassReverse ajp://localhost:$DOGTAG_PORT
 </LocationMatch>