From a1c690cc02a021bc400be00808dcf8463744c083 Mon Sep 17 00:00:00 2001
From: Martin Kosek <mkosek@redhat.com>
Date: Thu, 11 Aug 2011 10:42:29 +0200
Subject: Fix client enrollment

Enable GSSAPI credentials delegation in xmlrpc-c/curl to fix client
enrollment. The unconditional GSSAPI was previously dropped from
curl because of CVE-2011-2192.

https://fedorahosted.org/freeipa/ticket/1452
---
 ipa-client/ipa-join.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'ipa-client')

diff --git a/ipa-client/ipa-join.c b/ipa-client/ipa-join.c
index 95f2939cd..f6ca69367 100644
--- a/ipa-client/ipa-join.c
+++ b/ipa-client/ipa-join.c
@@ -149,11 +149,13 @@ callRPC(xmlrpc_env *            const envP,
     curlXportParmsP->no_ssl_verifypeer = 1;
     curlXportParmsP->no_ssl_verifyhost = 1;
     curlXportParmsP->cainfo = "/etc/ipa/ca.crt";
+    /* Enable GSSAPI credentials delegation */
+    curlXportParmsP->gssapi_delegation = 1;
 
     clientparms.transport = "curl";
     clientparms.transportparmsP = (struct xmlrpc_xportparms *)
             curlXportParmsP;
-    clientparms.transportparm_size = XMLRPC_CXPSIZE(cainfo);
+    clientparms.transportparm_size = XMLRPC_CXPSIZE(gssapi_delegation);
     xmlrpc_client_create(envP, XMLRPC_CLIENT_NO_FLAGS, NAME, VERSION,
                          &clientparms, sizeof(clientparms),
                          &clientP);
-- 
cgit