Deploy GSSAPI for Ipsilon in stg

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
This commit is contained in:
Patrick Uiterwijk 2016-11-24 16:34:50 +00:00
parent 673f85066b
commit 4a977b1c73
2 changed files with 29 additions and 1 deletions

View file

@ -9,6 +9,18 @@ WSGIImportScript /usr/libexec/ipsilon process-group=ipsilon application-group=ip
WSGIProcessGroup ipsilon
</Location>
<Location /login/gssapi/negotiate>
AuthName "GSSAPI Single Sign On Login"
GssapiCredStore keytab:/etc/krb5.HTTP_id.stg.fedoraproject.org.keytab
AuthType GSSAPI
# This is off because Apache (and thus mod_auth_gssapi) doesn't know this is proxied over TLS
GssapiSSLonly Off
GssapiLocalName on
Require valid-user
ErrorDocument 401 /login/gssapi/unauthorized
ErrorDocument 500 /login/gssapi/failed
</Location>
<Directory /usr/libexec>
Require all granted
</Directory>

View file

@ -1,5 +1,9 @@
[login_config]
{% if env == "staging" %}
global enabled=gssapi,fas
{% else %}
global enabled=fas
{% endif %}
{% if env == 'staging' %}
fas FAS url=https://admin.stg.fedoraproject.org/accounts/
{% else %}
@ -8,11 +12,23 @@ fas FAS url=https://admin.fedoraproject.org/accounts/
fas FAS Proxy client user Agent=Fedora Ipsilon
fas FAS Insecure Auth=False
[info_config]
{% if env == "staging" %}
global enabled=fas
{% endif %}
{% if env == 'staging' %}
fas FAS url=https://admin.stg.fedoraproject.org/accounts/
{% else %}
fas FAS url=https://admin.fedoraproject.org/accounts/
{% endif %}
fas FAS Proxy client user Agent=Fedora Ipsilon
fas FAS Insecure Auth=False
fas Bind Username={{ fedoraDummyUser }}
fas Bind Password={{ fedoraDummyUserPassword }}
[authz_config]
global enabled=allow
[provider_config]
{% if env == "staging" %}
global enabled=persona,openid,saml2,openidc