Hi,
I am not sure I understand what you mean. The below screenshot should be
the first thing you see when you go to
https://ipaserver.com/ipa/ui/
(unless you need to accept the security exception if the CA is not trusted
yet by the browser).
Is a custom configuration applied to the http instance (for instance in
/etc/httpd/conf/httpd.conf)?
flo
On Tue, Sep 21, 2021 at 2:13 PM Per Qvindesland via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org> wrote:
Hi
There is one thing that i have never really understood, when a user goes
to
https://ipaserver.com/ipa/ui/ he/she get's a Apache login prompt and
has to click cancel a coulple of times before getting to the Ipa login
screen.
It seems to be caused by /etc/httpd/conf.d/ipa.conf which has the
configuration below, why is that even there when it's not even logging
users into Ipa?
'
Regards
Per
<Location "/ipa">
AuthType GSSAPI
AuthName "Kerberos Login"
GssapiUseSessions On
Session On
SessionCookieName ipa_session path=/ipa;httponly;secure;
SessionHeader IPASESSION
# Uncomment the following to have shorter sessions, but beware this may
break
# old IPA client tols that incorrectly parse cookies.
# SessionMaxAge 1800
GssapiSessionKey file:/etc/httpd/alias/ipasession.key
GssapiImpersonate On
GssapiDelegCcacheDir /run/ipa/ccaches
GssapiDelegCcachePerms mode:0660
GssapiDelegCcacheUnique On
GssapiUseS4U2Proxy on
GssapiAllowedMech krb5
Require valid-user
ErrorDocument 401 /ipa/errors/unauthorized.html
WSGIProcessGroup ipa
WSGIApplicationGroup ipa
Header always append X-Frame-Options DENY
Header always append Content-Security-Policy "frame-ancestors
'none'"
# mod_session always sets two copies of the cookie, and this confuses our
# legacy clients, the unset here works because it ends up unsetting only
one
# of the 2 header tables set by mod_session, leaving the other intact
Header unset Set-Cookie
# Disable etag http header. Doesn't work well with mod_deflate
#
https://issues.apache.org/bugzilla/show_bug.cgi?id=45023
# Usage of last-modified header and modified-since validator is
sufficient.
Header unset ETag
FileETag None
</Location>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure