URL: https://github.com/freeipa/freeipa/pull/585 Author: pvomacka Title: #585: Remove allow_constrained_delegation from gssproxy.conf Action: synchronized
To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/585/head:pr585 git checkout pr585
From 51aeaec986dffddd563b24352842a20337a26bce Mon Sep 17 00:00:00 2001 From: Pavel Vomacka <pvoma...@redhat.com> Date: Tue, 14 Mar 2017 17:44:01 +0100 Subject: [PATCH] Remove allow_constrained_delegation from gssproxy.conf The Apache process must not allowed to use constrained delegation to contact services because it is already allowed to impersonate users to itself. Allowing it to perform constrained delegation would let it impersonate any user against the LDAP service without authentication. https://pagure.io/freeipa/issue/6225 --- install/share/gssproxy.conf.template | 1 - 1 file changed, 1 deletion(-) diff --git a/install/share/gssproxy.conf.template b/install/share/gssproxy.conf.template index d703144..fbb158a 100644 --- a/install/share/gssproxy.conf.template +++ b/install/share/gssproxy.conf.template @@ -4,7 +4,6 @@ cred_store = keytab:$HTTP_KEYTAB cred_store = client_keytab:$HTTP_KEYTAB allow_protocol_transition = true - allow_constrained_delegation = true cred_usage = both euid = $HTTPD_USER
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code