Deploy GSSAPI for Ipsilon in stg

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
2016-11-24 16:34:50 +00:00 · 2016-11-24 16:34:50 +00:00 · 4a977b1c73
commit 4a977b1c73
parent 673f85066b
2 changed files with 29 additions and 1 deletions
--- a/roles/ipsilon/files/ipsilon-httpd.conf
+++ b/roles/ipsilon/files/ipsilon-httpd.conf
@ -9,6 +9,18 @@ WSGIImportScript /usr/libexec/ipsilon process-group=ipsilon application-group=ip
    WSGIProcessGroup ipsilon
 </Location>

+<Location /login/gssapi/negotiate>
+    AuthName "GSSAPI Single Sign On Login"
+    GssapiCredStore keytab:/etc/krb5.HTTP_id.stg.fedoraproject.org.keytab
+    AuthType GSSAPI
+    # This is off because Apache (and thus mod_auth_gssapi) doesn't know this is proxied over TLS
+    GssapiSSLonly Off
+    GssapiLocalName on
+    Require valid-user
+    ErrorDocument 401 /login/gssapi/unauthorized
+    ErrorDocument 500 /login/gssapi/failed
+</Location>
+
 <Directory /usr/libexec>
    Require all granted
 </Directory>
--- a/roles/ipsilon/templates/configuration.conf
+++ b/roles/ipsilon/templates/configuration.conf
@ -1,5 +1,9 @@
 [login_config]
+{% if env == "staging" %}
+global enabled=gssapi,fas
+{% else %}
 global enabled=fas
+{% endif %}
 {% if env == 'staging' %}
 fas FAS url=https://admin.stg.fedoraproject.org/accounts/
 {% else %}
@ -8,11 +12,23 @@ fas FAS url=https://admin.fedoraproject.org/accounts/
 fas FAS Proxy client user Agent=Fedora Ipsilon
 fas FAS Insecure Auth=False

+[info_config]
+{% if env == "staging" %}
+global enabled=fas
+{% endif %}
+{% if env == 'staging' %}
+fas FAS url=https://admin.stg.fedoraproject.org/accounts/
+{% else %}
+fas FAS url=https://admin.fedoraproject.org/accounts/
+{% endif %}
+fas FAS Proxy client user Agent=Fedora Ipsilon
+fas FAS Insecure Auth=False
+fas Bind Username={{ fedoraDummyUser }}
+fas Bind Password={{ fedoraDummyUserPassword }}

 [authz_config]
 global enabled=allow

-
 [provider_config]
 {% if env == "staging" %}
 global enabled=persona,openid,saml2,openidc