diff options
author | Rob Crittenden <rcritten@redhat.com> | 2012-01-10 22:39:26 -0500 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2012-01-10 22:39:26 -0500 |
commit | c08296adff58517934b3ea3e4a6581b55fbc2d0c (patch) | |
tree | c2d8eae25edb6d6b7b51cc53759c2fcd6dcdae6f /install | |
parent | 74857a8ee465819b262c3445ea22119196e92c5e (diff) | |
download | freeipa-c08296adff58517934b3ea3e4a6581b55fbc2d0c.tar.gz freeipa-c08296adff58517934b3ea3e4a6581b55fbc2d0c.tar.xz freeipa-c08296adff58517934b3ea3e4a6581b55fbc2d0c.zip |
Configure s4u2proxy during installation.
This creates a new container, cn=s4u2proxy,cn=etc,$SUFFIX
Within that container we control which services are allowed to
delegate tickets for other services. Right now that is limited
from the IPA HTTP to ldap services.
Requires a version of mod_auth_kerb that supports s4u2proxy
https://fedorahosted.org/freeipa/ticket/1098
Diffstat (limited to 'install')
-rw-r--r-- | install/conf/ipa.conf | 4 | ||||
-rw-r--r-- | install/share/bootstrap-template.ldif | 22 | ||||
-rw-r--r-- | install/updates/30-s4u2proxy.update | 18 | ||||
-rw-r--r-- | install/updates/Makefile.am | 1 |
4 files changed, 44 insertions, 1 deletions
diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf index 72e3e4c01..f256dab4d 100644 --- a/install/conf/ipa.conf +++ b/install/conf/ipa.conf @@ -1,5 +1,5 @@ # -# VERSION 2 - DO NOT REMOVE THIS LINE +# VERSION 3 - DO NOT REMOVE THIS LINE # # LoadModule auth_kerb_module modules/mod_auth_kerb.so @@ -42,6 +42,7 @@ WSGIScriptReloading Off SetHandler None </Location> +KrbConstrainedDelegationLock ipa # Protect /ipa with Kerberos <Location "/ipa"> @@ -53,6 +54,7 @@ WSGIScriptReloading Off KrbAuthRealms $REALM Krb5KeyTab /etc/httpd/conf/ipa.keytab KrbSaveCredentials on + KrbConstrainedDelegation on Require valid-user ErrorDocument 401 /ipa/errors/unauthorized.html </Location> diff --git a/install/share/bootstrap-template.ldif b/install/share/bootstrap-template.ldif index 4f6bc3c97..4fba730b1 100644 --- a/install/share/bootstrap-template.ldif +++ b/install/share/bootstrap-template.ldif @@ -161,6 +161,28 @@ objectClass: nsContainer objectClass: top cn: posix-ids +dn: cn=s4u2proxy,cn=etc,$SUFFIX +changetype: add +objectClass: nsContainer +objectClass: top +cn: s4u2proxy + +dn: cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,$SUFFIX +changetype: add +objectClass: ipaKrb5DelegationACL +objectClass: groupOfPrincipals +objectClass: top +cn: ipa-http-delegation +memberPrincipal: HTTP/$HOST@$REALM +ipaAllowedTarget: cn=ipa-ldap-delegation-targets,cn=etc,$SUFFIX + +dn: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX +changetype: add +objectClass: groupOfPrincipals +objectClass: top +cn: ipa-ldap-delegation-targets +memberPrincipal: ldap/$HOST@$REALM + dn: uid=admin,cn=users,cn=accounts,$SUFFIX changetype: add objectClass: top diff --git a/install/updates/30-s4u2proxy.update b/install/updates/30-s4u2proxy.update new file mode 100644 index 000000000..be1d557e7 --- /dev/null +++ b/install/updates/30-s4u2proxy.update @@ -0,0 +1,18 @@ +dn: cn=s4u2proxy,cn=etc,$SUFFIX +default: objectClass: nsContainer +default: objectClass: top +default: cn: s4u2proxy + +dn: cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,$SUFFIX +default: objectClass: ipaKrb5DelegationACL +default: objectClass: groupOfPrincipals +default: objectClass: top +default: cn: ipa-http-delegation +default: memberPrincipal: HTTP/$HOST@$REALM +default: ipaAllowedTarget: 'cn=ipa-ldap-delegation-targets,cn=etc,$SUFFIX' + +dn: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX +default: objectClass: groupOfPrincipals +default: objectClass: top +default: cn: ipa-ldap-delegation-targets +default: memberPrincipal: ldap/$HOST@$REALM diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am index cc7117614..20a1ce3a9 100644 --- a/install/updates/Makefile.am +++ b/install/updates/Makefile.am @@ -18,6 +18,7 @@ app_DATA = \ 20-user_private_groups.update \ 20-winsync_index.update \ 21-replicas_container.update \ + 30-s4u2proxy.update \ 40-delegation.update \ 40-dns.update \ 40-automember.update \ |