Allow GSSAPI for lookaside
Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
This commit is contained in:
Patrick Uiterwijk
parent
b276b02103
commit
6fad69aca7
3 changed files with 32 additions and 13 deletions
|
|
@ -100,6 +100,9 @@ def main():
|
||||||
os.umask(002)
|
os.umask(002)
|
||||||
|
|
||||||
username = os.environ.get('SSL_CLIENT_S_DN_CN', None)
|
username = os.environ.get('SSL_CLIENT_S_DN_CN', None)
|
||||||
|
gssname = os.environ.get('GSS_NAME', None)
|
||||||
|
if gssname and '@' in gssname and not username:
|
||||||
|
username = gssname.partition('@')[0]
|
||||||
if not check_auth(username):
|
if not check_auth(username):
|
||||||
send_error('You must connect with a valid certificate and be in the '
|
send_error('You must connect with a valid certificate and be in the '
|
||||||
'%s group to upload.' % PACKAGER_GROUP,
|
'%s group to upload.' % PACKAGER_GROUP,
|
||||||
|
|
|
||||||
|
|
@ -29,6 +29,15 @@
|
||||||
notify:
|
notify:
|
||||||
- reload httpd
|
- reload httpd
|
||||||
|
|
||||||
|
- name: install the keytab
|
||||||
|
copy: src="{{ private }}/files/keytabs/{{env}}/pkgs"
|
||||||
|
dest=/etc/httpd.keytab
|
||||||
|
owner=apache
|
||||||
|
group=apache
|
||||||
|
mode=0600
|
||||||
|
notify:
|
||||||
|
- reload httpd
|
||||||
|
|
||||||
- name: allow httpd to access the files on NFS
|
- name: allow httpd to access the files on NFS
|
||||||
seboolean: name=httpd_use_nfs state=yes persistent=yes
|
seboolean: name=httpd_use_nfs state=yes persistent=yes
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -43,12 +43,6 @@ SSLCryptoDevice builtin
|
||||||
SSLVerifyClient optional
|
SSLVerifyClient optional
|
||||||
SSLVerifyDepth 1
|
SSLVerifyDepth 1
|
||||||
SSLOptions +StrictRequire +StdEnvVars +OptRenegotiate
|
SSLOptions +StrictRequire +StdEnvVars +OptRenegotiate
|
||||||
# require that the client auth cert was created by us and signed by us
|
|
||||||
SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
|
|
||||||
and %{SSL_CLIENT_S_DN_O} eq "Fedora Project" \
|
|
||||||
and %{SSL_CLIENT_S_DN_OU} eq "Fedora User Cert" \
|
|
||||||
and %{SSL_CLIENT_I_DN_O} eq "Fedora Project" \
|
|
||||||
and %{SSL_CLIENT_I_DN_OU} eq "Fedora Project CA" )
|
|
||||||
</Directory>
|
</Directory>
|
||||||
|
|
||||||
<Location /repo/pkgs/upload.cgi>
|
<Location /repo/pkgs/upload.cgi>
|
||||||
|
|
@ -60,13 +54,26 @@ SSLCryptoDevice builtin
|
||||||
SSLVerifyClient optional
|
SSLVerifyClient optional
|
||||||
SSLVerifyDepth 1
|
SSLVerifyDepth 1
|
||||||
SSLOptions +StrictRequire +StdEnvVars +OptRenegotiate
|
SSLOptions +StrictRequire +StdEnvVars +OptRenegotiate
|
||||||
# require that the access comes from internal or that
|
|
||||||
# the client auth cert was created by us and signed by us
|
AuthType GSSAPI
|
||||||
SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
|
GssapiSSLonly On
|
||||||
and %{SSL_CLIENT_S_DN_O} eq "Fedora Project" \
|
AuthName "GSSAPI Single Sign On Login"
|
||||||
and %{SSL_CLIENT_S_DN_OU} eq "Fedora User Cert" \
|
GssapiCredStore keytab:/etc/httpd.keytab
|
||||||
and %{SSL_CLIENT_I_DN_O} eq "Fedora Project" \
|
|
||||||
and %{SSL_CLIENT_I_DN_OU} eq "Fedora Project CA" )
|
SetEnvIfExpr "%{SSL_CLIENT_S_DN_O} == 'Fedora Project'" cert_s_o_valid
|
||||||
|
SetEnvIfExpr "%{SSL_CLIENT_S_DN_OU} == 'Fedora User Cert'" cert_s_ou_valid
|
||||||
|
SetEnvIfExpr "%{SSL_CLIENT_I_DN_O} == 'Fedora Project'" cert_i_o_valid
|
||||||
|
SetEnvIfExpr "%{SSL_CLIENT_I_DN_OU} == 'Fedora Project CA'" cert_i_ou_valid
|
||||||
|
|
||||||
|
<RequireAny>
|
||||||
|
<RequireAll>
|
||||||
|
Require env cert_s_o_valid
|
||||||
|
Require env cert_s_ou_valid
|
||||||
|
Require env cert_i_o_valid
|
||||||
|
Require env cert_i_ou_valid
|
||||||
|
</RequireAll>
|
||||||
|
Require valid-user
|
||||||
|
</RequireAny>
|
||||||
</Location>
|
</Location>
|
||||||
|
|
||||||
</VirtualHost>
|
</VirtualHost>
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue