diff options
| author | Rob Crittenden <rcritten@redhat.com> | 2012-01-10 22:39:26 -0500 |
|---|---|---|
| committer | Rob Crittenden <rcritten@redhat.com> | 2012-01-10 22:39:26 -0500 |
| commit | c08296adff58517934b3ea3e4a6581b55fbc2d0c (patch) | |
| tree | c2d8eae25edb6d6b7b51cc53759c2fcd6dcdae6f /install/conf | |
| parent | 74857a8ee465819b262c3445ea22119196e92c5e (diff) | |
| download | freeipa-c08296adff58517934b3ea3e4a6581b55fbc2d0c.tar.gz freeipa-c08296adff58517934b3ea3e4a6581b55fbc2d0c.tar.xz freeipa-c08296adff58517934b3ea3e4a6581b55fbc2d0c.zip | |
Configure s4u2proxy during installation.
This creates a new container, cn=s4u2proxy,cn=etc,$SUFFIX
Within that container we control which services are allowed to
delegate tickets for other services. Right now that is limited
from the IPA HTTP to ldap services.
Requires a version of mod_auth_kerb that supports s4u2proxy
https://fedorahosted.org/freeipa/ticket/1098
Diffstat (limited to 'install/conf')
| -rw-r--r-- | install/conf/ipa.conf | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf index 72e3e4c01..f256dab4d 100644 --- a/install/conf/ipa.conf +++ b/install/conf/ipa.conf @@ -1,5 +1,5 @@ # -# VERSION 2 - DO NOT REMOVE THIS LINE +# VERSION 3 - DO NOT REMOVE THIS LINE # # LoadModule auth_kerb_module modules/mod_auth_kerb.so @@ -42,6 +42,7 @@ WSGIScriptReloading Off SetHandler None </Location> +KrbConstrainedDelegationLock ipa # Protect /ipa with Kerberos <Location "/ipa"> @@ -53,6 +54,7 @@ WSGIScriptReloading Off KrbAuthRealms $REALM Krb5KeyTab /etc/httpd/conf/ipa.keytab KrbSaveCredentials on + KrbConstrainedDelegation on Require valid-user ErrorDocument 401 /ipa/errors/unauthorized.html </Location> |