[Freeipa-devel] [PATCH] make testing easier

Rob Crittenden rcritten at redhat.com
Thu Sep 27 17:12:05 UTC 2007 

Simo Sorce wrote:
> On Thu, 2007-09-27 at 11:22 -0400, Rob Crittenden wrote:
>> Karl MacMillan wrote:
>>> On Thu, 2007-09-27 at 10:06 -0400, Rob Crittenden wrote:
>>>> Karl MacMillan wrote:
>>>>> On Tue, 2007-09-25 at 09:12 -0400, Rob Crittenden wrote:
>>>>>> Simo is having problems with his Apache server seemingly not doing 
>>>>>> ticket forwarding but only for mod_python. In trying to help him 
>>>>>> diagnose this it became very apparent that even this low-level testing 
>>>>>> was difficult to setup.
>>>>>>
>>>>>> I've redone ipa.conf to not require Kerberos for the / but instead just 
>>>>>> target it for the things we use (plus /cgi-bin for good measure).
>>>>>>
>>>>> Is this the right approach or should we have specific urls for testing /
>>>>> error. I don't think I understand the changes well enough to assess the
>>>>> risks.
>>>> I don't understand. Isn't /ipatest a specific url for testing? I was 
>>>> thinking this would be disabled by default.
>>>>
>>>> We need a specific url for errors because it needs to be unauthenticated 
>>>> (so the user has a place to go on the same machine if their auth fails).
>>>>
>>> That was my understanding from the patch, but you mentioned that / would
>>> not be authenticated and that posed some risk. I was trying to
>>> understand that portion of your comments.
>>>
>>> Karl
>>>
>> Oh. The risk is if someone decides to put some other content on the web 
>> server it won't be automatically protected by kerberos.
> 
> Uhmm I say it is a low level risk, as by default admins are used to know
> that content is anonymous.
> Anyways, is it possible to server a page under / as anonymous while / is
> not?
> Maybe using a rewrite rule ?
> 
> Simo.
> 

You add a "Satisfy Any" and "Allow from all" into the Directory/Location 
entry.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20070927/b53f82b7/attachment.bin>

More information about the Freeipa-devel mailing list