From Fedora Project Wiki

Revision as of 22:52, 11 March 2015 by Rcritten (talk | contribs)

Description

IDP Installation testing.

Setup

  1. For testing purposes, a machine (or VM) with 1GB of RAM and 4 GB of free disk space for binaries, data and logs should be plenty to set up and run an IPA master.
  2. It is assumed that the IDP is installed on the same server/VM as the IPA master

How to test

Installation

Install the IDP on the same VM as your IPA server for simplicity.

First, install the Ipsilon server packages:

# yum install ipsilon ipsilon-tools ipsilon-authkrb ipsilon-infosssd ipsilon-tools-ipa ipsilon-saml2 ipsilon-authfas ipsilon-authldap ipsilon-authform

Configure the Ipsilon server to use IPA.

# ipsilon-server-install --ipa=yes --form=yes

Configure SSL

The ipsilon server installer doesn't yet have support for the Apache SSL plugin mod_nss. It always configures mod_ssl instead. IPA uses mod_nss, so we need to make a minor tweak to the IDP Apache configuration.

Edit /etc/httpd/conf.d/ipsilon-idp.conf

Replace

  SSLRequireSSL

With

  NSSRequireSSL

Remove /etc/httpd/conf.d/ssl.conf

  rm -f /etc/httpd/conf.d/ssl.conf

It is handy to add a rewrite rule to rewrite plain http requests against Ipsilon to https requests. This can be done by adding the following lines to the bottom of /etc/httpd/conf.d/ipsilon-idp.conf. Be sure to update the hostname to match your IPA/Ipsilon VM if you have deviated from the hostname recommended in the test day instructions!

  # Redirect Ipsilon requests to the secure port
  RewriteCond %{SERVER_PORT} !^443$
  RewriteRule ^/idp(.*) https://ipa.example.com/idp/$1 [L,R=301,NC]

Configure Kerberos local user mapping

Ipsilon is set up for Kerberos authentication, but Kerberos authenticated users will be identified by their full principal name. We want to allow our IPA 'admin' user to authenticate via form-based authentication or Kerberos to perform Ipsilon administration tasks. This requires enabling local user mapping in mod_auth_kerb to allow Kerberos authenticated users to have their principal name mapped to a normal local user name (plain 'admin'). To enable local user mapping, ensure the following directive is uncommented in /etc/httpd/conf.d/ipsilon-idp.conf:

 KrbLocalUserMapping On

Restart Apache

The above configuration changes will not take effect until Apache is restarted. This can be done by running:

 # systemctl restart httpd

Verify the basics

Firefox should be launched from a machine that is enrolled to the IPA server.

  1. Start firefox.
  2. Visit http://ipa.example.com/idp
  3. Authenticate as 'admin' using the IPA admin password.

Alternatively, you can use Kerberos authentication by following these steps:

  1. Run 'kinit admin' on the VM you are using for Firefox.
  2. Visit http://ipa.example.com/ipa and click on the 'configured' link to the right of the login form. Follow through the steps in the browser to configure Firefox for Kerberos authentication.
  3. Visit http://ipa.example.com/idp and click on 'Log In'. You should be successfully authenticated as the 'admin' user using Kerberos.

Expected Results

All the test steps should end with the specified results.