From c08296adff58517934b3ea3e4a6581b55fbc2d0c Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Tue, 10 Jan 2012 22:39:26 -0500
Subject: Configure s4u2proxy during installation.

This creates a new container, cn=s4u2proxy,cn=etc,$SUFFIX

Within that container we control which services are allowed to
delegate tickets for other services. Right now that is limited
from the IPA HTTP to ldap services.

Requires a version of mod_auth_kerb that supports s4u2proxy

https://fedorahosted.org/freeipa/ticket/1098
---
 install/updates/30-s4u2proxy.update | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)
 create mode 100644 install/updates/30-s4u2proxy.update

(limited to 'install/updates/30-s4u2proxy.update')

diff --git a/install/updates/30-s4u2proxy.update b/install/updates/30-s4u2proxy.update
new file mode 100644
index 000000000..be1d557e7
--- /dev/null
+++ b/install/updates/30-s4u2proxy.update
@@ -0,0 +1,18 @@
+dn: cn=s4u2proxy,cn=etc,$SUFFIX
+default: objectClass: nsContainer
+default: objectClass: top
+default: cn: s4u2proxy
+
+dn: cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,$SUFFIX
+default: objectClass: ipaKrb5DelegationACL
+default: objectClass: groupOfPrincipals
+default: objectClass: top
+default: cn: ipa-http-delegation
+default: memberPrincipal: HTTP/$HOST@$REALM
+default: ipaAllowedTarget: 'cn=ipa-ldap-delegation-targets,cn=etc,$SUFFIX'
+
+dn: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX
+default: objectClass: groupOfPrincipals
+default: objectClass: top
+default: cn: ipa-ldap-delegation-targets
+default: memberPrincipal: ldap/$HOST@$REALM
-- 
cgit