No edit summary |
No edit summary |
||
| Line 18: | Line 18: | ||
# ipsilon-server-install --ipa=yes --form=yes | # ipsilon-server-install --ipa=yes --form=yes | ||
The ipsilon server installer doesn't yet have support for the Apache SSL plugin mod_nss. It always configures | ==== Configure SSL ==== | ||
The ipsilon server installer doesn't yet have support for the Apache SSL plugin mod_nss. It always configures mod_ssl instead. IPA uses mod_nss, so we need to make a minor tweak to the IDP Apache configuration. | |||
Edit /etc/httpd/conf.d/ipsilon-idp.conf | Edit /etc/httpd/conf.d/ipsilon-idp.conf | ||
| Line 30: | Line 32: | ||
NSSRequireSSL | NSSRequireSSL | ||
Restart Apache | Remove /etc/httpd/conf.d/ssl.conf | ||
rm -f /etc/httpd/conf.d/ssl.conf | |||
It is handy to add a rewrite rule to rewrite plain http requests against Ipsilon to https requests. This can be done by adding the following lines to the bottom of /etc/httpd/conf.d/ipsilon-idp.conf. Be sure to update the hostname to match your IPA/Ipsilon VM if you have deviated from the hostname recommended in the test day instructions! | |||
# Redirect Ipsilon requests to the secure port | |||
RewriteCond %{SERVER_PORT} !^443$ | |||
RewriteRule ^/idp(.*) https://ipa.example.com/idp/$1 [L,R=301,NC] | |||
==== Configure Kerberos local user mapping ==== | |||
Ipsilon is set up for Kerberos authentication, but Kerberos authenticated users will be identified by their full principal name. We want to allow our IPA 'admin' user to authenticate via form-based authentication or Kerberos to perform Ipsilon administration tasks. This requires enabling local user mapping in mod_auth_kerb to allow Kerberos authenticated users to have their principal name mapped to a normal local user name (plain 'admin'). To enable local user mapping, ensure the following directive is uncommented in /etc/httpd/conf.d/ipsilon-idp.conf: | |||
KrbLocalUserMapping On | |||
==== Restart Apache ==== | |||
The above configuration changes will not take effect until Apache is restarted. This can be done by running: | |||
# systemctl restart httpd | |||
==== Verify the basics ==== | ==== Verify the basics ==== | ||
| Line 38: | Line 58: | ||
Firefox should be launched from a machine that is enrolled to the IPA server. | Firefox should be launched from a machine that is enrolled to the IPA server. | ||
Start firefox | # Start firefox. | ||
# Visit http://ipa.example.com/idp | |||
# Authenticate as 'admin' using the IPA admin password. | |||
Alternatively, you can use Kerberos authentication by following these steps: | |||
# Run 'kinit admin' on the VM you are using for Firefox. | |||
# Visit http://ipa.example.com/ipa and click on the 'configured' link to the right of the login form. Follow through the steps in the browser to configure Firefox for Kerberos authentication. | |||
# Visit http://ipa.example.com/idp and click on 'Log In'. You should be successfully authenticated as the 'admin' user using Kerberos. | |||
|results= | |results= | ||
Revision as of 21:42, 10 March 2015
Description
IDP Installation testing.
Setup
- For testing purposes, a machine (or VM) with 1GB of RAM and 4 GB of free disk space for binaries, data and logs should be plenty to set up and run an IPA master.
- It is assumed that the IDP is installed on the same server/VM as the IPA master
How to test
Installation
First, install the Ipsilon server packages:
# yum install ipsilon ipsilon-tools ipsilon-authkrb ipsilon-infosssd ipsilon-tools-ipa ipsilon-saml2 ipsilon-authfas ipsilon-authldap ipsilon-authform
Install the server to use IPA.
# ipsilon-server-install --ipa=yes --form=yes
Configure SSL
The ipsilon server installer doesn't yet have support for the Apache SSL plugin mod_nss. It always configures mod_ssl instead. IPA uses mod_nss, so we need to make a minor tweak to the IDP Apache configuration.
Edit /etc/httpd/conf.d/ipsilon-idp.conf
Replace
SSLRequireSSL
With
NSSRequireSSL
Remove /etc/httpd/conf.d/ssl.conf
rm -f /etc/httpd/conf.d/ssl.conf
It is handy to add a rewrite rule to rewrite plain http requests against Ipsilon to https requests. This can be done by adding the following lines to the bottom of /etc/httpd/conf.d/ipsilon-idp.conf. Be sure to update the hostname to match your IPA/Ipsilon VM if you have deviated from the hostname recommended in the test day instructions!
# Redirect Ipsilon requests to the secure port
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^/idp(.*) https://ipa.example.com/idp/$1 [L,R=301,NC]
Configure Kerberos local user mapping
Ipsilon is set up for Kerberos authentication, but Kerberos authenticated users will be identified by their full principal name. We want to allow our IPA 'admin' user to authenticate via form-based authentication or Kerberos to perform Ipsilon administration tasks. This requires enabling local user mapping in mod_auth_kerb to allow Kerberos authenticated users to have their principal name mapped to a normal local user name (plain 'admin'). To enable local user mapping, ensure the following directive is uncommented in /etc/httpd/conf.d/ipsilon-idp.conf:
KrbLocalUserMapping On
Restart Apache
The above configuration changes will not take effect until Apache is restarted. This can be done by running:
# systemctl restart httpd
Verify the basics
Firefox should be launched from a machine that is enrolled to the IPA server.
- Start firefox.
- Visit http://ipa.example.com/idp
- Authenticate as 'admin' using the IPA admin password.
Alternatively, you can use Kerberos authentication by following these steps:
- Run 'kinit admin' on the VM you are using for Firefox.
- Visit http://ipa.example.com/ipa and click on the 'configured' link to the right of the login form. Follow through the steps in the browser to configure Firefox for Kerberos authentication.
- Visit http://ipa.example.com/idp and click on 'Log In'. You should be successfully authenticated as the 'admin' user using Kerberos.
Expected Results
All the test steps should end with the specified results.