diff options
author | Pavel Vomacka <pvomacka@redhat.com> | 2017-03-14 17:44:01 +0100 |
---|---|---|
committer | Martin Basti <mbasti@redhat.com> | 2017-03-14 18:56:03 +0100 |
commit | f4cd61f3011877fc9cc2a809438059b07362b0aa (patch) | |
tree | cee5983939bd6ba7e3dab2e0b54ece5a916b5a75 | |
parent | 2c194d793cd588d595c5ff639fbf5dac93e50e23 (diff) | |
download | freeipa-f4cd61f3011877fc9cc2a809438059b07362b0aa.tar.gz freeipa-f4cd61f3011877fc9cc2a809438059b07362b0aa.tar.xz freeipa-f4cd61f3011877fc9cc2a809438059b07362b0aa.zip |
Remove allow_constrained_delegation from gssproxy.conf
The Apache process must not allowed to use constrained delegation to
contact services because it is already allowed to impersonate
users to itself. Allowing it to perform constrained delegation would
let it impersonate any user against the LDAP service without authentication.
https://pagure.io/freeipa/issue/6225
Reviewed-By: Simo Sorce <ssorce@redhat.com>
-rw-r--r-- | install/share/gssproxy.conf.template | 1 |
1 files changed, 0 insertions, 1 deletions
diff --git a/install/share/gssproxy.conf.template b/install/share/gssproxy.conf.template index d7031448a..fbb158a68 100644 --- a/install/share/gssproxy.conf.template +++ b/install/share/gssproxy.conf.template @@ -4,7 +4,6 @@ cred_store = keytab:$HTTP_KEYTAB cred_store = client_keytab:$HTTP_KEYTAB allow_protocol_transition = true - allow_constrained_delegation = true cred_usage = both euid = $HTTPD_USER |