From Fedora Project Wiki

Line 18: Line 18:
 
  # ipsilon-server-install --ipa=yes --form=yes
 
  # ipsilon-server-install --ipa=yes --form=yes
  
The ipsilon server installer doesn't yet have support for the Apache SSL plugin mod_nss. It always configures for mod_ssl instead. IPA uses mod_nss, so we need to make a minor tweak to the IDP Apache configuration.
+
==== Configure SSL ====
 +
 
 +
The ipsilon server installer doesn't yet have support for the Apache SSL plugin mod_nss. It always configures mod_ssl instead. IPA uses mod_nss, so we need to make a minor tweak to the IDP Apache configuration.
  
 
Edit /etc/httpd/conf.d/ipsilon-idp.conf
 
Edit /etc/httpd/conf.d/ipsilon-idp.conf
Line 30: Line 32:
 
   NSSRequireSSL
 
   NSSRequireSSL
  
Restart Apache
+
Remove /etc/httpd/conf.d/ssl.conf
 +
 
 +
  rm -f /etc/httpd/conf.d/ssl.conf
 +
 
 +
It is handy to add a rewrite rule to rewrite plain http requests against Ipsilon to https requests.  This can be done by adding the following lines to the bottom of /etc/httpd/conf.d/ipsilon-idp.conf.  Be sure to update the hostname to match your IPA/Ipsilon VM if you have deviated from the hostname recommended in the test day instructions!
 +
 
 +
  # Redirect Ipsilon requests to the secure port
 +
  RewriteCond %{SERVER_PORT} !^443$
 +
  RewriteRule ^/idp(.*) https://ipa.example.com/idp/$1 [L,R=301,NC]
 +
 
 +
==== Configure Kerberos local user mapping ====
 +
 
 +
Ipsilon is set up for Kerberos authentication, but Kerberos authenticated users will be identified by their full principal name.  We want to allow our IPA 'admin' user to authenticate via form-based authentication or Kerberos to perform Ipsilon administration tasks.  This requires enabling local user mapping in mod_auth_kerb to allow Kerberos authenticated users to have their principal name mapped to a normal local user name (plain 'admin').  To enable local user mapping, ensure the following directive is uncommented in /etc/httpd/conf.d/ipsilon-idp.conf:
 +
 
 +
  KrbLocalUserMapping On
 +
 
 +
==== Restart Apache ====
 +
 
 +
The above configuration changes will not take effect until Apache is restarted.  This can be done by running:
  
# systemctl restart httpd
+
  # systemctl restart httpd
  
 
==== Verify the basics ====
 
==== Verify the basics ====
Line 38: Line 58:
 
Firefox should be launched from a machine that is enrolled to the IPA server.
 
Firefox should be launched from a machine that is enrolled to the IPA server.
  
Start firefox
+
# Start firefox.
 +
# Visit http://ipa.example.com/idp
 +
# Authenticate as 'admin' using the IPA admin password.
  
Visit http://ipa.example.com/idp
+
Alternatively, you can use Kerberos authentication by following these steps:
  
Authenticate as admin using the IPA admin password
+
# Run 'kinit admin' on the VM you are using for Firefox.
 +
# Visit http://ipa.example.com/ipa and click on the 'configured' link to the right of the login form.  Follow through the steps in the browser to configure Firefox for Kerberos authentication.
 +
# Visit http://ipa.example.com/idp and click on 'Log In'.  You should be successfully authenticated as the 'admin' user using Kerberos.
  
 
|results=
 
|results=

Revision as of 21:42, 10 March 2015

Description

IDP Installation testing.

Setup

  1. For testing purposes, a machine (or VM) with 1GB of RAM and 4 GB of free disk space for binaries, data and logs should be plenty to set up and run an IPA master.
  2. It is assumed that the IDP is installed on the same server/VM as the IPA master

How to test

Installation

First, install the Ipsilon server packages:

# yum install ipsilon ipsilon-tools ipsilon-authkrb ipsilon-infosssd ipsilon-tools-ipa ipsilon-saml2 ipsilon-authfas ipsilon-authldap ipsilon-authform

Install the server to use IPA.

# ipsilon-server-install --ipa=yes --form=yes

Configure SSL

The ipsilon server installer doesn't yet have support for the Apache SSL plugin mod_nss. It always configures mod_ssl instead. IPA uses mod_nss, so we need to make a minor tweak to the IDP Apache configuration.

Edit /etc/httpd/conf.d/ipsilon-idp.conf

Replace

  SSLRequireSSL

With

  NSSRequireSSL

Remove /etc/httpd/conf.d/ssl.conf

  rm -f /etc/httpd/conf.d/ssl.conf

It is handy to add a rewrite rule to rewrite plain http requests against Ipsilon to https requests. This can be done by adding the following lines to the bottom of /etc/httpd/conf.d/ipsilon-idp.conf. Be sure to update the hostname to match your IPA/Ipsilon VM if you have deviated from the hostname recommended in the test day instructions!

  # Redirect Ipsilon requests to the secure port
  RewriteCond %{SERVER_PORT} !^443$
  RewriteRule ^/idp(.*) https://ipa.example.com/idp/$1 [L,R=301,NC]

Configure Kerberos local user mapping

Ipsilon is set up for Kerberos authentication, but Kerberos authenticated users will be identified by their full principal name. We want to allow our IPA 'admin' user to authenticate via form-based authentication or Kerberos to perform Ipsilon administration tasks. This requires enabling local user mapping in mod_auth_kerb to allow Kerberos authenticated users to have their principal name mapped to a normal local user name (plain 'admin'). To enable local user mapping, ensure the following directive is uncommented in /etc/httpd/conf.d/ipsilon-idp.conf:

 KrbLocalUserMapping On

Restart Apache

The above configuration changes will not take effect until Apache is restarted. This can be done by running:

 # systemctl restart httpd

Verify the basics

Firefox should be launched from a machine that is enrolled to the IPA server.

  1. Start firefox.
  2. Visit http://ipa.example.com/idp
  3. Authenticate as 'admin' using the IPA admin password.

Alternatively, you can use Kerberos authentication by following these steps:

  1. Run 'kinit admin' on the VM you are using for Firefox.
  2. Visit http://ipa.example.com/ipa and click on the 'configured' link to the right of the login form. Follow through the steps in the browser to configure Firefox for Kerberos authentication.
  3. Visit http://ipa.example.com/idp and click on 'Log In'. You should be successfully authenticated as the 'admin' user using Kerberos.

Expected Results

All the test steps should end with the specified results.