This option is required by the upcoming IdM (ipa-server) release
I'll add more info, from pull request<https://github.com/modauthgssapi/mod_auth_gssapi/pull/87/commits/03d965e57abddc0eed2b4987c866b049921d06d7>: """ ### GssapiImpersonate This option can be used even if AuthType GSSAPI is not used for given Location or LocationMatch, to obtain service ticket for a user that was already authenticated by different module. The principal of the user is retrieved from the internal r->user identifier which typically holds the username from the authentication results. Make sure the server principal is set to allow to acquire forwardable tickets to itself from arbitrary users, for use with constrained delegation, for example with the option +ok_to_auth_as_delegate. - **Enable with:** GssapiImpersonate On - **Default:** GssapiImpersonate Off """ It is needed for bug 1317377 - IdM, Web UI: allow Federated authentication.
Link to Pull Request: https://github.com/modauthgssapi/mod_auth_gssapi/pull/87/commits/03d965e57abddc0eed2b4987c866b049921d06d7
Please provide steps to verify this.
I could likely be tested as part of the smart card / x509 feature testing: http://www.freeipa.org/page/V4/External_Authentication/Setup
Please see the page Jan posted.
FYI, I do see that option on an IPA server being used for testing IPA Web UI authentication with smart cards. [root@auto-hv-02-guest07 ~]# cd /etc/httpd/conf.d [root@auto-hv-02-guest07 conf.d]# ls autoindex.conf ipa-rewrite.conf userdir.conf ipa.conf lookup_identity.conf welcome.conf ipa-kdc-proxy.conf nss.conf xx-ipa-experimental-x509-auth.conf ipa-pki-proxy.conf README [root@auto-hv-02-guest07 conf.d]# grep -i gssapiimpersonate * xx-ipa-experimental-x509-auth.conf: GssapiImpersonate On
[root@dhcp129-34 ~]# rpm -qi ipa-server Name : ipa-server Version : 4.4.0 Release : 12.el7 Architecture: x86_64 Install Date: Wed 21 Sep 2016 12:16:46 PM EDT Group : System Environment/Base Size : 1019056 License : GPLv3+ Signature : (none) Source RPM : ipa-4.4.0-12.el7.src.rpm Build Date : Fri 16 Sep 2016 05:23:17 AM EDT Build Host : x86-037.build.eng.bos.redhat.com Relocations : (not relocatable) Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> Vendor : Red Hat, Inc. URL : http://www.freeipa.org/ Summary : The IPA authentication server Followed the instruction in the document in comment 8. The certificate on the card was issued by an external CA and the CA was trusted on the browser. The token was loaded on the browser. Password was set for the ipa user, su to the user prompted for new password as the password had expired. Login to IPA web UI using the smartcard pin was successful
[root@dhcp129-34 ~]# rpm -qi mod_auth_gssapi Name : mod_auth_gssapi Version : 1.4.0 Release : 1.el7 Architecture: x86_64 Install Date: Wed 21 Sep 2016 12:16:21 PM EDT Group : System Environment/Daemons Size : 137027 License : MIT Signature : RSA/SHA256, Wed 27 Jul 2016 11:19:04 AM EDT, Key ID 938a80caf21541eb Source RPM : mod_auth_gssapi-1.4.0-1.el7.src.rpm Build Date : Tue 21 Jun 2016 10:00:58 AM EDT Build Host : x86-017.build.eng.bos.redhat.com Relocations : (not relocatable) Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> Vendor : Red Hat, Inc. URL : https://github.com/modauthgssapi/mod_auth_gssapi Summary : A GSSAPI Authentication module for Apache the above build was used for verification
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2404.html