From 5a03462bfc94d09192c935b2a158958481d1df01 Mon Sep 17 00:00:00 2001
From: David Kupka <dkupka@redhat.com>
Date: Mon, 30 Mar 2015 04:17:55 -0400
Subject: Use mod_auth_gssapi instead of mod_auth_kerb.

https://fedorahosted.org/freeipa/ticket/4190

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
---
 install/conf/ipa.conf | 16 +++++-----------
 1 file changed, 5 insertions(+), 11 deletions(-)

(limited to 'install/conf')

diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf
index 62ee955ec..871fab824 100644
--- a/install/conf/ipa.conf
+++ b/install/conf/ipa.conf
@@ -3,7 +3,6 @@
 #
 # This file may be overwritten on upgrades.
 #
-# LoadModule auth_kerb_module modules/mod_auth_kerb.so
 
 ProxyRequests Off
 
@@ -61,19 +60,14 @@ WSGIScriptReloading Off
   SetHandler None
 </Location>
 
-KrbConstrainedDelegationLock ipa
-
 # Protect /ipa and everything below it in webspace with Apache Kerberos auth
 <Location "/ipa">
-  AuthType Kerberos
+  AuthType GSSAPI
   AuthName "Kerberos Login"
-  KrbMethodNegotiate on
-  KrbMethodK5Passwd off
-  KrbServiceName HTTP
-  KrbAuthRealms $REALM
-  Krb5KeyTab /etc/httpd/conf/ipa.keytab
-  KrbSaveCredentials on
-  KrbConstrainedDelegation on
+  GssapiCredStore keytab:/etc/httpd/conf/ipa.keytab
+  GssapiCredStore client_keytab:/etc/httpd/conf/ipa.keytab
+  GssapiDelegCcacheDir /var/run/httpd/clientcaches
+  GssapiUseS4U2Proxy on
   Require valid-user
   ErrorDocument 401 /ipa/errors/unauthorized.html
 </Location>
-- 
cgit