From c08296adff58517934b3ea3e4a6581b55fbc2d0c Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Tue, 10 Jan 2012 22:39:26 -0500
Subject: Configure s4u2proxy during installation.

This creates a new container, cn=s4u2proxy,cn=etc,$SUFFIX

Within that container we control which services are allowed to
delegate tickets for other services. Right now that is limited
from the IPA HTTP to ldap services.

Requires a version of mod_auth_kerb that supports s4u2proxy

https://fedorahosted.org/freeipa/ticket/1098
---
 install/share/bootstrap-template.ldif | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

(limited to 'install/share/bootstrap-template.ldif')

diff --git a/install/share/bootstrap-template.ldif b/install/share/bootstrap-template.ldif
index 4f6bc3c97..4fba730b1 100644
--- a/install/share/bootstrap-template.ldif
+++ b/install/share/bootstrap-template.ldif
@@ -161,6 +161,28 @@ objectClass: nsContainer
 objectClass: top
 cn: posix-ids
 
+dn: cn=s4u2proxy,cn=etc,$SUFFIX
+changetype: add
+objectClass: nsContainer
+objectClass: top
+cn: s4u2proxy
+
+dn: cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,$SUFFIX
+changetype: add
+objectClass: ipaKrb5DelegationACL
+objectClass: groupOfPrincipals
+objectClass: top
+cn: ipa-http-delegation
+memberPrincipal: HTTP/$HOST@$REALM
+ipaAllowedTarget: cn=ipa-ldap-delegation-targets,cn=etc,$SUFFIX
+
+dn: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX
+changetype: add
+objectClass: groupOfPrincipals
+objectClass: top
+cn: ipa-ldap-delegation-targets
+memberPrincipal: ldap/$HOST@$REALM
+
 dn: uid=admin,cn=users,cn=accounts,$SUFFIX
 changetype: add
 objectClass: top
-- 
cgit