From Fedora Project Wiki

Line 18: Line 18:
Configure the Ipsilon server to use IPA.
Configure the Ipsilon server to use IPA.
  # ipsilon-server-install --ipa=yes --form=yes
  # ipsilon-server-install --ipa=yes --info-sssd=yes --form=yes
Where the info-sssd-domain is the domain you configured for IPA.
==== Configure SSL ====
==== Configure SSL ====

Revision as of 00:14, 12 March 2015


IDP Installation testing.


  1. For testing purposes, a machine (or VM) with 1GB of RAM and 4 GB of free disk space for binaries, data and logs should be plenty to set up and run an IPA master.
  2. It is assumed that the IDP is installed on the same server/VM as the IPA master

How to test


Install the IDP on the same VM as your IPA server for simplicity.

First, install the Ipsilon server packages:

# yum install ipsilon ipsilon-tools ipsilon-authkrb ipsilon-infosssd ipsilon-tools-ipa ipsilon-saml2 ipsilon-authfas ipsilon-authldap ipsilon-authform

Configure the Ipsilon server to use IPA.

#  ipsilon-server-install --ipa=yes --info-sssd=yes --form=yes

Where the info-sssd-domain is the domain you configured for IPA.

Configure SSL

The ipsilon server installer doesn't yet have support for the Apache SSL plugin mod_nss. It always configures mod_ssl instead. IPA uses mod_nss, so we need to make a minor tweak to the IDP Apache configuration.

Edit /etc/httpd/conf.d/ipsilon-idp.conf





Remove /etc/httpd/conf.d/ssl.conf

  rm -f /etc/httpd/conf.d/ssl.conf

It is handy to add a rewrite rule to rewrite plain http requests against Ipsilon to https requests. This can be done by adding the following lines to the bottom of /etc/httpd/conf.d/ipsilon-idp.conf. Be sure to update the hostname to match your IPA/Ipsilon VM if you have deviated from the hostname recommended in the test day instructions!

  # Redirect Ipsilon requests to the secure port
  RewriteCond %{SERVER_PORT} !^443$
  RewriteRule ^/idp(.*)$1 [L,R=301,NC]

Configure Kerberos local user mapping

Ipsilon is set up for Kerberos authentication, but Kerberos authenticated users will be identified by their full principal name. We want to allow our IPA 'admin' user to authenticate via form-based authentication or Kerberos to perform Ipsilon administration tasks. This requires enabling local user mapping in mod_auth_kerb to allow Kerberos authenticated users to have their principal name mapped to a normal local user name (plain 'admin'). To enable local user mapping, ensure the following directive is uncommented in /etc/httpd/conf.d/ipsilon-idp.conf:

 KrbLocalUserMapping On

Restart Apache

The above configuration changes will not take effect until Apache is restarted. This can be done by running:

 # systemctl restart httpd

Verify the basics

Firefox should be launched from a machine that is enrolled to the IPA server.

  1. Start firefox.
  2. Visit
  3. Authenticate as 'admin' using the IPA admin password.

If you don't have Firefox installed you can install it and some fonts with:

# yum -y install firefox dejavu-*

Alternatively, you can use Kerberos authentication by following these steps:

  1. Run 'kinit admin' on the VM you are using for Firefox.
  2. Visit and click on the 'configured' link to the right of the login form. Follow through the steps in the browser to configure Firefox for Kerberos authentication.
  3. Visit and click on 'Log In'. You should be successfully authenticated as the 'admin' user using Kerberos.

Expected Results

All the test steps should end with the specified results.