Hi
There is one thing that i have never really understood, when a user goes to
https://ipaserver.com/ipa/ui/ he/she get's a Apache login prompt and has to click cancel a coulple of times before getting to the Ipa login screen.
It seems to be caused by /etc/httpd/conf.d/ipa.conf which has the configuration below, why is that even there when it's not even logging users into Ipa?
'
Regards
Per
<Location "/ipa">
AuthType GSSAPI
AuthName "Kerberos Login"
GssapiUseSessions On
Session On
SessionCookieName ipa_session path=/ipa;httponly;secure;
SessionHeader IPASESSION
# Uncomment the following to have shorter sessions, but beware this may break
# old IPA client tols that incorrectly parse cookies.
# SessionMaxAge 1800
GssapiSessionKey file:/etc/httpd/alias/ipasession.key
GssapiImpersonate On
GssapiDelegCcacheDir /run/ipa/ccaches
GssapiDelegCcachePerms mode:0660
GssapiDelegCcacheUnique On
GssapiUseS4U2Proxy on
GssapiAllowedMech krb5
Require valid-user
ErrorDocument 401 /ipa/errors/unauthorized.html
WSGIProcessGroup ipa
WSGIApplicationGroup ipa
Header always append X-Frame-Options DENY
Header always append Content-Security-Policy "frame-ancestors 'none'"
# mod_session always sets two copies of the cookie, and this confuses our
# legacy clients, the unset here works because it ends up unsetting only one
# of the 2 header tables set by mod_session, leaving the other intact
Header unset Set-Cookie
# Disable etag http header. Doesn't work well with mod_deflate
# Usage of last-modified header and modified-since validator is sufficient.
Header unset ETag
FileETag None
</Location>