freeipa-server 4.3.1-0ubuntu1 / usr / share / ipa / ipa.conf

This file is indexed.

/usr/share/ipa/ipa.conf is in freeipa-server 4.3.1-0ubuntu1.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below. 

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
#
# VERSION 19 - DO NOT REMOVE THIS LINE
#
# This file may be overwritten on upgrades.
#

ProxyRequests Off


#We use xhtml, a file format that the browser validates
DirectoryIndex index.html


# Substantially increase the request field size to support MS-PAC
# requests, ticket #2767. This should easily support a 64KiB PAC.
LimitRequestFieldSize 100000

# ipa-rewrite.conf is loaded separately

# This is required so the auto-configuration works with Firefox 2+
AddType application/java-archive        jar
AddType application/x-xpinstall         xpi

# Proper header for .tff fonts
AddType application/x-font-ttf          ttf

# Enable compression
AddOutputFilterByType DEFLATE text/html text/plain text/xml \
 application/javascript application/json text/css \
 application/x-font-ttf

# Disable etag http header. Doesn't work well with mod_deflate
# https://issues.apache.org/bugzilla/show_bug.cgi?id=45023
# Usage of last-modified header and modified-since validator is sufficient.
Header unset ETag
FileETag None

# FIXME: WSGISocketPrefix is a server-scope directive.  The mod_wsgi package
# should really be fixed by adding this its /etc/httpd/conf.d/wsgi.conf:
WSGISocketPrefix /run/apache2/wsgi


# Configure mod_wsgi handler for /ipa
WSGIDaemonProcess ipa processes=2 threads=1 maximum-requests=500 display-name=%{GROUP}
WSGIImportScript /usr/share/ipa/wsgi.py process-group=ipa application-group=ipa
WSGIScriptAlias /ipa /usr/share/ipa/wsgi.py
WSGIScriptReloading Off


# Turn off mod_msgi handler for errors, config, crl:
<Location "/ipa/errors">
  SetHandler None
</Location>
<Location "/ipa/config">
  SetHandler None
</Location>
<Location "/ipa/crl">
  SetHandler None
</Location>

# Protect /ipa and everything below it in webspace with Apache Kerberos auth
<Location "/ipa">
  AuthType GSSAPI
  AuthName "Kerberos Login"
  GssapiCredStore keytab:/etc/apache2/ipa.keytab
  GssapiCredStore client_keytab:/etc/apache2/ipa.keytab
  GssapiDelegCcacheDir /var/run/apache2/ipa/clientcaches
  GssapiUseS4U2Proxy on
  GssapiAllowedMech krb5
  Require valid-user
  ErrorDocument 401 /ipa/errors/unauthorized.html
  WSGIProcessGroup ipa
  WSGIApplicationGroup ipa
</Location>

# Turn off Apache authentication for sessions
<Location "/ipa/session/json">
  Satisfy Any
  Order Deny,Allow
  Allow from all
</Location>

<Location "/ipa/session/xml">
  Satisfy Any
  Order Deny,Allow
  Allow from all
</Location>

<Location "/ipa/session/login_password">
  Satisfy Any
  Order Deny,Allow
  Allow from all
</Location>

<Location "/ipa/session/change_password">
  Satisfy Any
  Order Deny,Allow
  Allow from all
</Location>

<Location "/ipa/session/sync_token">
  Satisfy Any
  Order Deny,Allow
  Allow from all
</Location>

# Custodia stuff is redirected to the custodia daemon
# after authentication
<Location "/ipa/keys/">
    ProxyPass "unix:/run/apache2/ipa-custodia.sock|http://localhost/keys/"
    RequestHeader set GSS_NAME %{GSS_NAME}s
    RequestHeader set REMOTE_USER %{REMOTE_USER}s
</Location>

# This is where we redirect on failed auth
Alias /ipa/errors "/usr/share/ipa/html"

# For the MIT Windows config files
Alias /ipa/config "/usr/share/ipa/html"

# Do no authentication on the directory that contains error messages
<Directory "/usr/share/ipa/html">
  SetHandler None
  AllowOverride None
  Satisfy Any
  Allow from all
  ExpiresActive On
  ExpiresDefault "access plus 0 seconds"
</Directory>


# For CRL publishing
Alias /ipa/crl "$CRL_PUBLISH_PATH"
<Directory "$CRL_PUBLISH_PATH">
  SetHandler None
  AllowOverride None
  Options Indexes FollowSymLinks
  Satisfy Any
  Allow from all
</Directory>


#  List explicitly only the fonts we want to serve
Alias /ipa/ui/fonts/open-sans "/usr/share/fonts/truetype/open-sans"
Alias /ipa/ui/fonts/fontawesome "/usr/share/fonts/truetype/font-awesome"
<Directory "/usr/share/fonts">
  SetHandler None
  AllowOverride None
  Satisfy Any
  Allow from all
  ExpiresActive On
  ExpiresDefault "access plus 1 year"
</Directory>


#  webUI  is now completely static, and served out of that directory
Alias /ipa/ui "/usr/share/ipa/ui"
<Directory "/usr/share/ipa/ui">
  SetHandler None
  AllowOverride None
  Satisfy Any
  Allow from all
  ExpiresActive On
  ExpiresDefault "access plus 1 year"
  <FilesMatch "(index.html|loader.js|login.html|reset_password.html)">
        ExpiresDefault "access plus 0 seconds"
  </FilesMatch>
</Directory>

#  Simple wsgi scripts required by ui
Alias /ipa/wsgi "/usr/share/ipa/wsgi"
<Directory "/usr/share/ipa/wsgi">
    AllowOverride None
    Satisfy Any
    Allow from all
    Options ExecCGI
    AddHandler wsgi-script .py
</Directory>

# migration related pages
Alias /ipa/migration "/usr/share/ipa/migration"
<Directory "/usr/share/ipa/migration">
    AllowOverride None
    Satisfy Any
    Allow from all
    Options ExecCGI
    AddHandler wsgi-script .py
</Directory>

APT Browse - Built by Thomas Orozco.