From 2da6d6e7460b932f406b7f0632320433f9f98a85 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Wed, 15 Feb 2012 17:06:54 +0100 Subject: Don't set delegation flag in client, we're using S4U2Proxy now A forwardable ticket is still required but we no longer need to send the TGT to the IPA server. A new flag, --delegate, is available if the old behavior is required. Set the minimum n-v-r for mod_auth_kerb and krb5-server to pick up needed patches for S4U2Proxy to work. https://fedorahosted.org/freeipa/ticket/1098 https://fedorahosted.org/freeipa/ticket/2246 --- install/share/bootstrap-template.ldif | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'install') diff --git a/install/share/bootstrap-template.ldif b/install/share/bootstrap-template.ldif index b58bfd7e..e33f0657 100644 --- a/install/share/bootstrap-template.ldif +++ b/install/share/bootstrap-template.ldif @@ -174,7 +174,7 @@ objectClass: groupOfPrincipals objectClass: top cn: ipa-http-delegation memberPrincipal: HTTP/$HOST@$REALM -ipaAllowedTarget: cn=ipa-ldap-delegation-targets,cn=etc,$SUFFIX +ipaAllowedTarget: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX dn: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX changetype: add -- cgit