Project

General

Profile

Actions
Copy link

Bug #19550

closed

Set SSL username when supplied from the client

Added by Stephen Benjamin almost 7 years ago. Updated almost 7 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Marek Hulán
Category:
Foreman modules
Target version:
-
Difficulty:
Triaged:
Bugzilla link:
1449088
Pull request:
https://github.com/theforeman/puppet-foreman/pull/564
Fixed in Releases:
Found in Releases:
Red Hat JIRA:

Description

Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1449088

Description of problem:
After updating Satellite from 6.2.8 to 6.2.9.
We can no longer log in to the Satellite WEB-UI using Single Sign On with our smart cards.
We have located the source to our problem in /etc/httpd/conf.d/05-foreman-ssl.d/katello.conf

BugZilla 1367162 limits the URL scope of how the Apache webserver handles a SSL username supplied from the client. This change in katello.conf breaks the method of how we log in to the Satellite WEB-UI using our smart cards.

Detailed info =====================
https://bugzilla.redhat.com/show_bug.cgi?id=1367162
--- /etc/httpd/conf.d/05-foreman-ssl.d/katello.conf 2016-11-02 09:22:48.308639320 0100
++ /tmp/puppet-file20170502-25928-101m16o 2017-05-02 09:30:58.026811503 +0200
@ -3,7 +3,9 @ # CHANGES WILL LIKELY BE OVERWRITTEN. #

-SSLUsername SSL_CLIENT_S_DN_CN
<Location /pulp/api>
 SSLUsername SSL_CLIENT_S_DN_CN
+</Location> =============================

Alias /pub /var/www/html/pub
 &lt;Location /pub&gt;

Can a broader URL scope (Location) that includes the login URL be applied or alternatively find another solution.

Customer got it working by changing these lines in /etc/httpd/conf.d/05-foreman-ssl.d/katello.conf

Removed this section
#<Location /pulp/api>
  1. SSLUsername SSL_CLIENT_S_DN_CN
    #</Location>

Added this section
<LocationMatch /pulp/api|/users/extlogin>
SSLUsername SSL_CLIENT_S_DN_CN
</LocationMatch>

Version-Release number of selected component (if applicable):
Satellite 6.2.9

Actual results:
Smart card SSO not working after the change.

Expected results:
Smart card SSO working after upgrade.

Additional info:

Actions
Copy link
 #1

Updated by Stephen Benjamin almost 7 years ago

  • Project changed from Foreman to Installer
  • Subject changed from Set SSL username when supplied from the client to Set SSL username when supplied from the client
  • Category set to Foreman modules

Is this something that makes sense to do in puppet-foreman?

Actions
Copy link
 #2

Updated by Dominic Cleal almost 7 years ago

  • Project changed from Installer to Katello
  • Category deleted (Foreman modules)
Actions
Copy link
 #3

Updated by Ewoud Kohl van Wijngaarden almost 7 years ago

While this was an accidental feature, wouldn't Foreman support this too if we add an additional location?

Actions
Copy link
 #4

Updated by Justin Sherrill almost 7 years ago

  • Project changed from Katello to Foreman

yes, i think that was stbenjam's question,if we should just fix it in puppet-foreman, but i guess it was moved back to katello without much discussion due to the confusing description.

Actions
Copy link
 #5

Updated by Marek Hulán almost 7 years ago

  • Project changed from Foreman to Installer
  • Category set to Foreman modules

I agree, it makes sense to add it to Foreman module, therefore it belongs to Foreman installer.

Actions
Copy link
 #6

Updated by The Foreman Bot almost 7 years ago

  • Status changed from New to Ready For Testing
  • Assignee set to Marek Hulán
  • Pull request https://github.com/theforeman/puppet-foreman/pull/564 added
Actions
Copy link
 #7

Updated by Anonymous almost 7 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100
Actions
Copy link

Also available in: Atom PDF