diff options
| author | Christian Heimes <cheimes@redhat.com> | 2015-07-17 12:40:29 +0200 |
|---|---|---|
| committer | Martin Basti <mbasti@redhat.com> | 2015-11-26 15:20:19 +0100 |
| commit | b6c893aae63b6b77871c775d062a5c7e1c470ad9 (patch) | |
| tree | 1528918fe7c6bdbb60be0b74022ef1df698fff7b /install/conf | |
| parent | 8403bd9d15a7817a15b85d8e108cad1c155aadbc (diff) | |
| download | freeipa-b6c893aae63b6b77871c775d062a5c7e1c470ad9.tar.gz freeipa-b6c893aae63b6b77871c775d062a5c7e1c470ad9.tar.xz freeipa-b6c893aae63b6b77871c775d062a5c7e1c470ad9.zip | |
mod_auth_gssapi: Remove ntlmssp support and restrict mechanism to krb5
By default mod_auth_gssapi allows all locally available mechanisms. If
the gssntlmssp package is installed, it also offers ntlmssp. This has
the annoying side effect that some browser will pop up a
username/password request dialog if no Krb5 credentials are available.
The patch restricts the mechanism to krb5 and removes ntlmssp and
iakerb support from Apache's ipa.conf.
The new feature was added to mod_auth_gssapi 1.3.0.
https://fedorahosted.org/freeipa/ticket/5114
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Diffstat (limited to 'install/conf')
| -rw-r--r-- | install/conf/ipa.conf | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf index af58e517b..8d4fea35e 100644 --- a/install/conf/ipa.conf +++ b/install/conf/ipa.conf @@ -66,6 +66,7 @@ WSGIScriptReloading Off GssapiCredStore client_keytab:/etc/httpd/conf/ipa.keytab GssapiDelegCcacheDir /var/run/httpd/ipa/clientcaches GssapiUseS4U2Proxy on + GssapiAllowedMech krb5 Require valid-user ErrorDocument 401 /ipa/errors/unauthorized.html WSGIProcessGroup ipa |