diff options
author | Rob Crittenden <rcritten@redhat.com> | 2011-12-08 17:21:07 -0500 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2012-01-10 22:38:14 -0500 |
commit | 4f5fe04be87dc117588a8e3b004cd6078844e537 (patch) | |
tree | 68bd1871929f55f2532f63e12c90e8ee7664e878 | |
parent | f65773fb878954e2db5b23c4777290d7949e2c3e (diff) | |
download | freeipa.git-4f5fe04be87dc117588a8e3b004cd6078844e537.tar.gz freeipa.git-4f5fe04be87dc117588a8e3b004cd6078844e537.tar.xz freeipa.git-4f5fe04be87dc117588a8e3b004cd6078844e537.zip |
Configure s4u2proxy during installation.
This creates a new container, cn=s4u2proxy,cn=etc,$SUFFIX
Within that container we control which services are allowed to
delegate tickets for other services. Right now that is limited
from the IPA HTTP to ldap services.
Requires a version of mod_auth_kerb that supports s4u2proxy
https://fedorahosted.org/freeipa/ticket/1098
-rw-r--r-- | freeipa.spec.in | 5 | ||||
-rw-r--r-- | install/conf/ipa.conf | 4 | ||||
-rw-r--r-- | install/share/bootstrap-template.ldif | 22 | ||||
-rw-r--r-- | install/updates/30-s4u2proxy.update | 18 | ||||
-rw-r--r-- | install/updates/Makefile.am | 1 | ||||
-rw-r--r-- | ipaserver/install/httpinstance.py | 3 |
6 files changed, 51 insertions, 2 deletions
diff --git a/freeipa.spec.in b/freeipa.spec.in index 735b036c..312e17be 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -103,7 +103,7 @@ Requires: cyrus-sasl-gssapi%{?_isa} Requires: ntp Requires: httpd Requires: mod_wsgi -Requires: mod_auth_kerb +Requires: mod_auth_kerb >= 5.4-9 Requires: mod_nss >= 1.0.8-10 Requires: python-ldap Requires: python-krbV @@ -615,6 +615,9 @@ fi %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/default.conf %changelog +* Wed Jan 11 2012 Rob Crittenden <rcritten@redhat.com> - 2.2.0-6 +- Set min for mod_auth_kerb to 5.4-9 to pick up s4u2proxy support + * Tue Jan 10 2012 Alexander Bokovoy <abokovoy@redhat.com> - 2.2.0-5 - Fix dependency for samba4-devel package diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf index 72e3e4c0..f256dab4 100644 --- a/install/conf/ipa.conf +++ b/install/conf/ipa.conf @@ -1,5 +1,5 @@ # -# VERSION 2 - DO NOT REMOVE THIS LINE +# VERSION 3 - DO NOT REMOVE THIS LINE # # LoadModule auth_kerb_module modules/mod_auth_kerb.so @@ -42,6 +42,7 @@ WSGIScriptReloading Off SetHandler None </Location> +KrbConstrainedDelegationLock ipa # Protect /ipa with Kerberos <Location "/ipa"> @@ -53,6 +54,7 @@ WSGIScriptReloading Off KrbAuthRealms $REALM Krb5KeyTab /etc/httpd/conf/ipa.keytab KrbSaveCredentials on + KrbConstrainedDelegation on Require valid-user ErrorDocument 401 /ipa/errors/unauthorized.html </Location> diff --git a/install/share/bootstrap-template.ldif b/install/share/bootstrap-template.ldif index 4f6bc3c9..4fba730b 100644 --- a/install/share/bootstrap-template.ldif +++ b/install/share/bootstrap-template.ldif @@ -161,6 +161,28 @@ objectClass: nsContainer objectClass: top cn: posix-ids +dn: cn=s4u2proxy,cn=etc,$SUFFIX +changetype: add +objectClass: nsContainer +objectClass: top +cn: s4u2proxy + +dn: cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,$SUFFIX +changetype: add +objectClass: ipaKrb5DelegationACL +objectClass: groupOfPrincipals +objectClass: top +cn: ipa-http-delegation +memberPrincipal: HTTP/$HOST@$REALM +ipaAllowedTarget: cn=ipa-ldap-delegation-targets,cn=etc,$SUFFIX + +dn: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX +changetype: add +objectClass: groupOfPrincipals +objectClass: top +cn: ipa-ldap-delegation-targets +memberPrincipal: ldap/$HOST@$REALM + dn: uid=admin,cn=users,cn=accounts,$SUFFIX changetype: add objectClass: top diff --git a/install/updates/30-s4u2proxy.update b/install/updates/30-s4u2proxy.update new file mode 100644 index 00000000..be1d557e --- /dev/null +++ b/install/updates/30-s4u2proxy.update @@ -0,0 +1,18 @@ +dn: cn=s4u2proxy,cn=etc,$SUFFIX +default: objectClass: nsContainer +default: objectClass: top +default: cn: s4u2proxy + +dn: cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,$SUFFIX +default: objectClass: ipaKrb5DelegationACL +default: objectClass: groupOfPrincipals +default: objectClass: top +default: cn: ipa-http-delegation +default: memberPrincipal: HTTP/$HOST@$REALM +default: ipaAllowedTarget: 'cn=ipa-ldap-delegation-targets,cn=etc,$SUFFIX' + +dn: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX +default: objectClass: groupOfPrincipals +default: objectClass: top +default: cn: ipa-ldap-delegation-targets +default: memberPrincipal: ldap/$HOST@$REALM diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am index cc711761..20a1ce3a 100644 --- a/install/updates/Makefile.am +++ b/install/updates/Makefile.am @@ -18,6 +18,7 @@ app_DATA = \ 20-user_private_groups.update \ 20-winsync_index.update \ 21-replicas_container.update \ + 30-s4u2proxy.update \ 40-delegation.update \ 40-dns.update \ 40-automember.update \ diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index 79b61728..7fa19c10 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -136,6 +136,9 @@ class HTTPInstance(service.Service): pent = pwd.getpwnam("apache") os.chown("/etc/httpd/conf/ipa.keytab", pent.pw_uid, pent.pw_gid) + # Clean up existing ccache + installutils.remove_file('/tmp/krb5cc_%d' % pent.pw_uid) + def __configure_http(self): target_fname = '/etc/httpd/conf.d/ipa.conf' http_txt = ipautil.template_file(ipautil.SHARE_DIR + "ipa.conf", self.sub_dict) |