#2141 kojiweb: update for mod_auth_gssapi configuration
Merged 2 years ago by tkopecek. Opened 2 years ago by ktdreyer.
ktdreyer/koji kojiweb-gssapi  into  master

file modified
+3 -7
@@ -24,15 +24,11 @@ 

  

  # uncomment this to enable authentication via Kerberos

  # <Location /koji/login>

- #     AuthType Kerberos

+ #     AuthType GSSAPI

  #     AuthName "Koji Web UI"

- #     KrbMethodNegotiate on

- #     KrbMethodK5Passwd off

- #     KrbServiceName HTTP

- #     KrbAuthRealm EXAMPLE.COM

- #     Krb5Keytab /etc/httpd.keytab

- #     KrbSaveCredentials off

+ #     GssapiCredStore keytab:/etc/koji.keytab

  #     Require valid-user

+ #     GssapiLocalName Off

  #     ErrorDocument 401 /koji-static/errors/unauthorized.html

  # </Location>

  

Delete the mod_auth_kerb configuration settings from the sample kojiweb.conf file. Add the mod_auth_gssapi settings instead.

I tested a config almost identical to this with mod_auth_gssapi-1.5.1-5.el7 and it works.

Would be nice to have consistency in option values. In ssllogin, there is Off (note uppper case O). Also would be nice to have here GssapiSSLonly Off also for consistency reasons.

However, I have tested this on my installation and it works just fine.

rebased onto 79e1de40612f9a341913d4eb32065c69d9c8bda0

2 years ago

Thanks for the review and testing @ignatenkobrain!

I've changed "off" to "Off" for consistency with the rest of the configuration in the tree.

Regarding GssapiSSLonly, I did not realize that we actually recommended turn that off on the hub. That is dangerous. We should actually set Require ssl for all login URLs (/koji/login and /kojihub/ssllogin). I can file a separate PR for that.

https://pagure.io/koji/pull-request/2162 removes GssapiSSLonly Off from the Koij hub Apache configuration.

I investigated at Require ssl and it gets complicated because we have to wrap it in a <RequireAll> section. We can use the older SSLRequireSSL setting for simplicity. Let's add that in a separate PR, though.

rebased onto b906c760ed6db5dafa15cd678c036eb1ce79fe0a

2 years ago

rebased onto b9c513274dea2b380dd7c360bea701dd401dc701

2 years ago

Metadata Update from @tkopecek:
- Pull-request tagged with: doc, no_qe

2 years ago

rebased onto 50879c1

2 years ago

Commit ec5e7e6 fixes this pull-request

Pull-Request has been merged by tkopecek

2 years ago