Imported Debian patch 4.0.5-6~numeezy

install/conf/Makefile.am

@@ -3,7 +3,6 @@ NULL =
 appdir = $(IPA_DATA_DIR)
 app_DATA =                              \
 	ipa.conf			\
-	ipa-kdc-proxy.conf.template	\
 	ipa-pki-proxy.conf		\
 	ipa-rewrite.conf		\
 	$(NULL)

install/conf/Makefile.in

@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.15 from Makefile.am.
+# Makefile.in generated by automake 1.14.1 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2014 Free Software Foundation, Inc.
+# Copyright (C) 1994-2013 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -15,17 +15,7 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
-am__is_gnu_make = { \
-  if test -z '$(MAKELEVEL)'; then \
-    false; \
-  elif test -n '$(MAKE_HOST)'; then \
-    true; \
-  elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
-    true; \
-  else \
-    false; \
-  fi; \
-}
+am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
 am__make_running_with_option = \
   case $${target_option-} in \
       ?) ;; \
@@ -87,12 +77,12 @@ NORMAL_UNINSTALL = :
 PRE_UNINSTALL = :
 POST_UNINSTALL = :
 subdir = conf
+DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/../version.m4 \
 	$(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
-DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
 mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/config.h
 CONFIG_CLEAN_FILES =
@@ -146,7 +136,6 @@ am__uninstall_files_from_dir = { \
 am__installdirs = "$(DESTDIR)$(appdir)"
 DATA = $(app_DATA)
 am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
-am__DIST_COMMON = $(srcdir)/Makefile.in
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 AMTAR = @AMTAR@
@@ -237,7 +226,6 @@ NULL =
 appdir = $(IPA_DATA_DIR)
 app_DATA = \
 	ipa.conf			\
-	ipa-kdc-proxy.conf.template	\
 	ipa-pki-proxy.conf		\
 	ipa-rewrite.conf		\
 	$(NULL)
@@ -265,6 +253,7 @@ $(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am  $(am__confi
 	echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign conf/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
 	  $(AUTOMAKE) --foreign conf/Makefile
+.PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
 	  *config.status*) \
@@ -458,8 +447,6 @@ uninstall-am: uninstall-appDATA
 	pdf-am ps ps-am tags-am uninstall uninstall-am \
 	uninstall-appDATA
 
-.PRECIOUS: Makefile
-
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.

install/conf/ipa-kdc-proxy.conf.template

@@ -1,30 +0,0 @@
-# Kerberos over HTTP / MS-KKDCP support (Kerberos KDC Proxy)
-#
-# The symlink from /etc/ipa/kdcproxy/ to /etc/httpd/conf.d/ is maintained
-# by the ExecStartPre script /usr/libexec/ipa/ipa-httpd-kdcproxy in
-# httpd.service. The service also sets the environment variable
-# KDCPROXY_CONFIG to $KDCPROXY_CONFIG.
-#
-# Disable KDC Proxy on the current host:
-#   # ipa-ldap-updater /usr/share/ipa/kdcproxy-disable.uldif
-#   # systemctl restart httpd.service
-#
-# Enable KDC Proxy on the current host:
-#   # ipa-ldap-updater /usr/share/ipa/kdcproxy-enable.uldif
-#   # systemctl restart httpd.service
-#
-
-WSGIDaemonProcess kdcproxy processes=2 threads=15 maximum-requests=5000 \
-  user=kdcproxy group=kdcproxy display-name=%{GROUP}
-WSGIImportScript /usr/lib/python2.7/site-packages/kdcproxy/__init__.py \
-  process-group=kdcproxy application-group=kdcproxy
-WSGIScriptAlias /KdcProxy /usr/lib/python2.7/site-packages/kdcproxy/__init__.py
-WSGIScriptReloading Off
-
-<Location "/KdcProxy">
-  Satisfy Any
-  Order Deny,Allow
-  Allow from all
-  WSGIProcessGroup kdcproxy
-  WSGIApplicationGroup kdcproxy
-</Location>

install/conf/ipa-pki-proxy.conf

@@ -1,4 +1,4 @@
-# VERSION 8 - DO NOT REMOVE THIS LINE
+# VERSION 4 - DO NOT REMOVE THIS LINE
 
 ProxyRequests Off
 
@@ -11,7 +11,7 @@ ProxyRequests Off
 </LocationMatch>
 
 # matches for admin port and installer
-<LocationMatch "^/ca/admin/ca/getCertChain|^/ca/admin/ca/getConfigEntries|^/ca/admin/ca/getCookie|^/ca/admin/ca/getStatus|^/ca/admin/ca/securityDomainLogin|^/ca/admin/ca/getDomainXML|^/ca/admin/ca/updateNumberRange|^/ca/admin/ca/tokenAuthenticate|^/ca/admin/ca/updateNumberRange|^/ca/admin/ca/updateDomainXML|^/ca/admin/ca/updateConnector|^/ca/admin/ca/getSubsystemCert|^/kra/admin/kra/updateNumberRange|^/kra/admin/kra/getConfigEntries">
+<LocationMatch "^/ca/admin/ca/getCertChain|^/ca/admin/ca/getConfigEntries|^/ca/admin/ca/getCookie|^/ca/admin/ca/getStatus|^/ca/admin/ca/securityDomainLogin|^/ca/admin/ca/getDomainXML|^/ca/rest/installer/installToken|^/ca/admin/ca/updateNumberRange|^/ca/rest/securityDomain/domainInfo|^/ca/rest/account/login|^/ca/admin/ca/tokenAuthenticate|^/ca/admin/ca/updateNumberRange|^/ca/admin/ca/updateDomainXML|^/ca/rest/account/logout|^/ca/rest/securityDomain/installToken">
     NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
     NSSVerifyClient none
     ProxyPassMatch ajp://localhost:$DOGTAG_PORT
@@ -19,28 +19,12 @@ ProxyRequests Off
 </LocationMatch>
 
 # matches for agent port and eeca port
-<LocationMatch "^/ca/agent/ca/displayBySerial|^/ca/agent/ca/doRevoke|^/ca/agent/ca/doUnrevoke|^/ca/agent/ca/updateDomainXML|^/ca/eeca/ca/profileSubmitSSLClient|^/kra/agent/kra/connector">
+<LocationMatch "^/ca/agent/ca/displayBySerial|^/ca/agent/ca/doRevoke|^/ca/agent/ca/doUnrevoke|^/ca/agent/ca/updateDomainXML|^/ca/eeca/ca/profileSubmitSSLClient">
     NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
     NSSVerifyClient require
     ProxyPassMatch ajp://localhost:$DOGTAG_PORT
     ProxyPassReverse ajp://localhost:$DOGTAG_PORT
 </LocationMatch>
 
-# matches for CA REST API
-<LocationMatch "^/ca/rest/account/login|^/ca/rest/account/logout|^/ca/rest/installer/installToken|^/ca/rest/securityDomain/domainInfo|^/ca/rest/securityDomain/installToken|^/ca/rest/profiles|^/ca/rest/admin/kraconnector/remove">
-    NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
-    NSSVerifyClient optional
-    ProxyPassMatch ajp://localhost:$DOGTAG_PORT
-    ProxyPassReverse ajp://localhost:$DOGTAG_PORT
-</LocationMatch>
-
-# matches for KRA REST API
-<LocationMatch "^/kra/rest/config/cert/transport|^/kra/rest/account|^/kra/rest/agent/keyrequests|^/kra/rest/agent/keys">
-    NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
-    NSSVerifyClient optional
-    ProxyPassMatch ajp://localhost:$DOGTAG_PORT
-    ProxyPassReverse ajp://localhost:$DOGTAG_PORT
-</LocationMatch>
-
 # Only enable this on servers that are not generating a CRL
 ${CLONE}RewriteRule ^/ipa/crl/MasterCRL.bin https://$FQDN/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL [L,R=301,NC]

install/conf/ipa.conf

@@ -1,8 +1,9 @@
 #
-# VERSION 19 - DO NOT REMOVE THIS LINE
+# VERSION 16 - DO NOT REMOVE THIS LINE
 #
 # This file may be overwritten on upgrades.
 #
+# LoadModule auth_kerb_module modules/mod_auth_kerb.so
 
 ProxyRequests Off
 
@@ -41,7 +42,9 @@ WSGISocketPrefix /run/httpd/wsgi
 
 
 # Configure mod_wsgi handler for /ipa
-WSGIDaemonProcess ipa processes=2 threads=1 maximum-requests=500 display-name=%{GROUP}
+WSGIDaemonProcess ipa processes=2 threads=1 maximum-requests=500
+WSGIProcessGroup ipa
+WSGIApplicationGroup ipa
 WSGIImportScript /usr/share/ipa/wsgi.py process-group=ipa application-group=ipa
 WSGIScriptAlias /ipa /usr/share/ipa/wsgi.py
 WSGIScriptReloading Off
@@ -58,19 +61,21 @@ WSGIScriptReloading Off
   SetHandler None
 </Location>
 
+KrbConstrainedDelegationLock ipa
+
 # Protect /ipa and everything below it in webspace with Apache Kerberos auth
 <Location "/ipa">
-  AuthType GSSAPI
+  AuthType Kerberos
   AuthName "Kerberos Login"
-  GssapiCredStore keytab:/etc/httpd/conf/ipa.keytab
-  GssapiCredStore client_keytab:/etc/httpd/conf/ipa.keytab
-  GssapiDelegCcacheDir /var/run/httpd/ipa/clientcaches
-  GssapiUseS4U2Proxy on
-  GssapiAllowedMech krb5
+  KrbMethodNegotiate on
+  KrbMethodK5Passwd off
+  KrbServiceName HTTP
+  KrbAuthRealms $REALM
+  Krb5KeyTab /etc/httpd/conf/ipa.keytab
+  KrbSaveCredentials on
+  KrbConstrainedDelegation on
   Require valid-user
   ErrorDocument 401 /ipa/errors/unauthorized.html
-  WSGIProcessGroup ipa
-  WSGIApplicationGroup ipa
 </Location>
 
 # Turn off Apache authentication for sessions
@@ -104,14 +109,6 @@ WSGIScriptReloading Off
   Allow from all
 </Location>
 
-# Custodia stuff is redirected to the custodia daemon
-# after authentication
-<Location "/ipa/keys/">
-    ProxyPass "unix:/run/httpd/ipa-custodia.sock|http://localhost/keys/"
-    RequestHeader set GSS_NAME %{GSS_NAME}s
-    RequestHeader set REMOTE_USER %{REMOTE_USER}s
-</Location>
-
 # This is where we redirect on failed auth
 Alias /ipa/errors "/usr/share/ipa/html"
 
@@ -177,6 +174,21 @@ Alias /ipa/wsgi "/usr/share/ipa/wsgi"
     AddHandler wsgi-script .py
 </Directory>
 
+# Protect our CGIs
+<Directory /var/www/cgi-bin>
+  AuthType Kerberos
+  AuthName "Kerberos Login"
+  KrbMethodNegotiate on
+  KrbMethodK5Passwd off
+  KrbServiceName HTTP
+  KrbAuthRealms $REALM
+  Krb5KeyTab /etc/httpd/conf/ipa.keytab
+  KrbSaveCredentials on
+  Require valid-user
+  ErrorDocument 401 /ipa/errors/unauthorized.html
+</Directory>
+
+
 # migration related pages
 Alias /ipa/migration "/usr/share/ipa/migration"
 <Directory "/usr/share/ipa/migration">