From bbdef52169420d922e95d5d005dc6c8fc5c67001 Mon Sep 17 00:00:00 2001
From: Patrick Uiterwijk <puiterwijk@redhat.com>
Date: Mon, 12 Dec 2016 00:31:30 +0000
Subject: [PATCH] Enable GSSAPI

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
---
 roles/koji_hub/templates/kojihub.conf.j2 | 26 ------------------------
 1 file changed, 26 deletions(-)

diff --git a/roles/koji_hub/templates/kojihub.conf.j2 b/roles/koji_hub/templates/kojihub.conf.j2
index 86b829e324..144574c1e9 100644
--- a/roles/koji_hub/templates/kojihub.conf.j2
+++ b/roles/koji_hub/templates/kojihub.conf.j2
@@ -24,39 +24,13 @@ Alias /kojifiles "/mnt/koji/"
 </Directory>
 {% endif %}
 
-{% if env == "production" %}
-SSLVerifyClient optional
-{% endif %}
 <Location /kojihub/ssllogin>
-{% if env == "production" %}
-         SSLVerifyClient require
-         SSLVerifyDepth  10
-         SSLOptions +StdEnvVars
-
-	 # This complicated ACL stuff is to support both SSL and kerb auth at the same time
-	 # To be killed on December 12th, 2016, after which "Require valid-user" remains
-	 #SetEnvIfExpr "%{SSL_CLIENT_S_DN_O} == 'Fedora Project'" cert_s_o_valid
-	 #SetEnvIfExpr "%{SSL_CLIENT_S_DN_OU} == 'Fedora User Cert'" cert_s_ou_valid
-	 #SetEnvIfExpr "%{SSL_CLIENT_I_DN_O} == 'Fedora Project'" cert_i_o_valid
-	 #SetEnvIfExpr "%{SSL_CLIENT_I_DN_OU} == 'Fedora Project CA'" cert_i_ou_valid
-	 #<RequireAny>
-	#	<RequireAll>
-	#		Require env cert_s_o_valid
-	#		Require env cert_s_ou_valid
-	#		Require env cert_i_o_valid
-	#		Require env cert_i_ou_valid
-	#	</RequireAll>
-	#	Require valid-user
-	# </RequireAny>
-
-{% else %}
 	 AuthType GSSAPI
 	 GssapiSSLonly On
          GssapiLocalName On
 	 AuthName "GSSAPI Single Sign On Login"
 	 GssapiCredStore keytab:/etc/koji-hub-http.keytab
 	 Require valid-user
-{% endif %}
 </Location>
 
 # uncomment this to enable authentication via SSL client certificates