URL: https://github.com/freeipa/freeipa/pull/585 Title: #585: Remove allow_constrained_delegation from gssproxy.conf
simo5 commented: """ Please change commit message to: The Apache process *must* not allowed to use constrained delegation to contact services because it is already allowed to impersonate users to itself. Allowing it to perform constrained delegation would let it impersonate any user against the LDAP service without authentication. """ See the full comment at https://github.com/freeipa/freeipa/pull/585#issuecomment-286486668
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
