Re-work httpd configuration a little

IPA's httpd configuration contains 10 lines of kerberos
authentication configuration repeated several times.
This patch pulls those 10 lines into a separate file
which is then included from the main file.

Apart from purely removing duplication, this allows
you to e.g. set up httpd without kerberos auth by
writing an empty httpd-auth.conf file. Or, in other
words, it makes the main httpd configuration know
nothing about kerberos.

Signed-off-by: Mark McLoughlin <markmc@redhat.com>

diff -r df7f0770503b ipa-server/ipaserver/httpinstance.py
--- a/ipa-server/ipaserver/httpinstance.py	Wed Jan 23 15:18:47 2008 +0000
+++ b/ipa-server/ipaserver/httpinstance.py	Wed Jan 23 15:30:39 2008 +0000
@@ -114,15 +114,23 @@ class HTTPInstance(service.Service):
         pent = pwd.getpwnam("apache")
         os.chown("/etc/httpd/conf/ipa.keytab", pent.pw_uid, pent.pw_gid)
 
+    def __configure_http_auth(self, txt):
+        sysrestore.backup_file("/etc/httpd/conf/httpd-auth.conf")
+        auth_fd = open("/etc/httpd/conf/httpd-auth.conf", "w")
+        auth_fd.write(txt)
+        auth_fd.close()
+
     def __configure_http(self):
         http_txt = ipautil.template_file(ipautil.SHARE_DIR + "ipa.conf",
-                                         FQDN = self.fqdn,
-                                         REALM = self.realm)
+                                         FQDN = self.fqdn)
         sysrestore.backup_file("/etc/httpd/conf.d/ipa.conf")
         http_fd = open("/etc/httpd/conf.d/ipa.conf", "w")
         http_fd.write(http_txt)
-        http_fd.close()                
-
+        http_fd.close()
+        
+        auth_txt = ipautil.template_file(ipautil.SHARE_DIR + "httpd-auth-krb.conf",
+                                         REALM = self.realm)
+        self.__configure_http_auth(auth_txt)
 
     def __disable_mod_ssl(self):
         if os.path.exists(SSL_CONF):
@@ -175,7 +183,9 @@ class HTTPInstance(service.Service):
         if not enabled is None and not enabled:
             self.chkconfig_off()
 
-        for f in ["/etc/httpd/conf.d/ipa.conf", SSL_CONF, NSS_CONF]:
+        for f in ["/etc/httpd/conf.d/ipa.conf",
+                  "/etc/httpd/conf/httpd-auth.conf",
+                  SSL_CONF, NSS_CONF]:
             sysrestore.restore_file(f)
 
         sebool_state = self.restore_state("httpd_can_network_connect")
diff -r df7f0770503b ipa-server/xmlrpc-server/Makefile.am
--- a/ipa-server/xmlrpc-server/Makefile.am	Wed Jan 23 15:18:47 2008 +0000
+++ b/ipa-server/xmlrpc-server/Makefile.am	Wed Jan 23 15:30:39 2008 +0000
@@ -24,6 +24,7 @@ appdir = $(IPA_DATA_DIR)
 appdir = $(IPA_DATA_DIR)
 app_DATA =			\
 	ipa.conf		\
+	httpd-auth-krb.conf	\
 	$(NULL)
 
 EXTRA_DIST =			\
diff -r df7f0770503b ipa-server/xmlrpc-server/httpd-auth-krb.conf
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/ipa-server/xmlrpc-server/httpd-auth-krb.conf	Wed Jan 23 15:30:39 2008 +0000
@@ -0,0 +1,10 @@
+AuthType Kerberos
+AuthName "Kerberos Login"
+KrbMethodNegotiate on
+KrbMethodK5Passwd off
+KrbServiceName HTTP
+KrbAuthRealms $REALM
+Krb5KeyTab /etc/httpd/conf/ipa.keytab
+KrbSaveCredentials on
+Require valid-user
+ErrorDocument 401 /errors/unauthorized.html
diff -r df7f0770503b ipa-server/xmlrpc-server/ipa.conf
--- a/ipa-server/xmlrpc-server/ipa.conf	Wed Jan 23 15:18:47 2008 +0000
+++ b/ipa-server/xmlrpc-server/ipa.conf	Wed Jan 23 15:30:39 2008 +0000
@@ -19,16 +19,8 @@ AddType application/java-archive        
 AddType application/java-archive        jar
 
 <Proxy *>
-  AuthType Kerberos
-  AuthName "Kerberos Login"
-  KrbMethodNegotiate on
-  KrbMethodK5Passwd off
-  KrbServiceName HTTP
-  KrbAuthRealms $REALM
-  Krb5KeyTab /etc/httpd/conf/ipa.keytab
-  KrbSaveCredentials on
-  Require valid-user
-  ErrorDocument 401 /errors/unauthorized.html
+  Include conf/httpd-auth.conf
+
   RewriteEngine on
   Order deny,allow
   Allow from all
@@ -64,16 +56,7 @@ Alias /config "/usr/share/ipa/html"
 Alias /config "/usr/share/ipa/html"
 
 <Directory "/usr/share/ipa/ipaserver">
-  AuthType Kerberos
-  AuthName "Kerberos Login"
-  KrbMethodNegotiate on
-  KrbMethodK5Passwd off
-  KrbServiceName HTTP
-  KrbAuthRealms $REALM
-  Krb5KeyTab /etc/httpd/conf/ipa.keytab
-  KrbSaveCredentials on
-  Require valid-user
-  ErrorDocument 401 /errors/unauthorized.html
+  Include conf/httpd-auth.conf
 
   SetHandler mod_python
   PythonHandler ipaxmlrpc
@@ -95,31 +78,13 @@ Alias /config "/usr/share/ipa/html"
 
 # Protect our CGIs
 <Directory /var/www/cgi-bin>
-  AuthType Kerberos
-  AuthName "Kerberos Login"
-  KrbMethodNegotiate on
-  KrbMethodK5Passwd off
-  KrbServiceName HTTP
-  KrbAuthRealms $REALM
-  Krb5KeyTab /etc/httpd/conf/ipa.keytab
-  KrbSaveCredentials on
-  Require valid-user
-  ErrorDocument 401 /errors/unauthorized.html
+  Include conf/httpd-auth.conf
 </Directory>
 
 #Alias /ipatest "/usr/share/ipa/ipatest"
 
 #<Directory "/usr/share/ipa/ipatest">
-#  AuthType Kerberos
-#  AuthName "Kerberos Login"
-#  KrbMethodNegotiate on
-#  KrbMethodK5Passwd off
-#  KrbServiceName HTTP
-#  KrbAuthRealms $REALM
-#  Krb5KeyTab /etc/httpd/conf/ipa.keytab
-#  KrbSaveCredentials on
-#  Require valid-user
-#  ErrorDocument 401 /errors/unauthorized.html
+#  Include conf/httpd-auth.conf
 #
 #  SetHandler mod_python
 #  PythonHandler test_mod_python