diff options
Diffstat (limited to 'install')
-rw-r--r-- | install/conf/ipa.conf | 5 | ||||
-rw-r--r-- | install/oddjob/etc/dbus-1/system.d/oddjob-ipa-trust.conf | 2 | ||||
-rw-r--r-- | install/oddjob/etc/dbus-1/system.d/org.freeipa.server.conf | 2 | ||||
-rw-r--r-- | install/oddjob/etc/oddjobd.conf.d/ipa-server.conf | 2 | ||||
-rw-r--r-- | install/oddjob/etc/oddjobd.conf.d/oddjobd-ipa-trust.conf | 2 | ||||
-rw-r--r-- | install/share/gssproxy.conf.template | 8 | ||||
-rw-r--r-- | install/share/ipa.conf.tmpfiles | 4 |
7 files changed, 17 insertions, 8 deletions
diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf index c1b10d035..f0330c544 100644 --- a/install/conf/ipa.conf +++ b/install/conf/ipa.conf @@ -1,5 +1,5 @@ # -# VERSION 22 - DO NOT REMOVE THIS LINE +# VERSION 23 - DO NOT REMOVE THIS LINE # # This file may be overwritten on upgrades. # @@ -42,7 +42,7 @@ WSGISocketPrefix /run/httpd/wsgi # Configure mod_wsgi handler for /ipa WSGIDaemonProcess ipa processes=2 threads=1 maximum-requests=500 \ - display-name=%{GROUP} socket-timeout=2147483647 + user=ipaapi group=ipaapi display-name=%{GROUP} socket-timeout=2147483647 WSGIImportScript /usr/share/ipa/wsgi.py process-group=ipa application-group=ipa WSGIScriptAlias /ipa /usr/share/ipa/wsgi.py WSGIScriptReloading Off @@ -70,6 +70,7 @@ WSGIScriptReloading Off GssapiSessionKey file:/etc/httpd/alias/ipasession.key GssapiDelegCcacheDir /var/run/ipa/ccaches + GssapiDelegCcachePerms mode:0660 gid:ipaapi GssapiUseS4U2Proxy on GssapiAllowedMech krb5 Require valid-user diff --git a/install/oddjob/etc/dbus-1/system.d/oddjob-ipa-trust.conf b/install/oddjob/etc/dbus-1/system.d/oddjob-ipa-trust.conf index 2e4c1367b..a1955d6b7 100644 --- a/install/oddjob/etc/dbus-1/system.d/oddjob-ipa-trust.conf +++ b/install/oddjob/etc/dbus-1/system.d/oddjob-ipa-trust.conf @@ -30,7 +30,7 @@ send_member="Get"/> </policy> - <policy user="apache"> + <policy user="ipaapi"> <allow send_destination="com.redhat.idm.trust" send_path="/" send_interface="com.redhat.idm.trust" diff --git a/install/oddjob/etc/dbus-1/system.d/org.freeipa.server.conf b/install/oddjob/etc/dbus-1/system.d/org.freeipa.server.conf index b2cbf746f..577611f01 100644 --- a/install/oddjob/etc/dbus-1/system.d/org.freeipa.server.conf +++ b/install/oddjob/etc/dbus-1/system.d/org.freeipa.server.conf @@ -10,7 +10,7 @@ <allow send_destination="org.freeipa.server" send_interface="org.freeipa.server"/> </policy> - <policy user="apache"> + <policy user="ipaapi"> <allow send_destination="org.freeipa.server" send_interface="org.freeipa.server"/> </policy> diff --git a/install/oddjob/etc/oddjobd.conf.d/ipa-server.conf b/install/oddjob/etc/oddjobd.conf.d/ipa-server.conf index 3f806966b..012e3cbe3 100644 --- a/install/oddjob/etc/oddjobd.conf.d/ipa-server.conf +++ b/install/oddjob/etc/oddjobd.conf.d/ipa-server.conf @@ -2,7 +2,7 @@ <oddjobconfig> <service name="org.freeipa.server"> <allow user="root"/> - <allow user="apache"/> + <allow user="ipaapi"/> <object name="/"> <interface name="org.freeipa.server"> <method name="conncheck"> diff --git a/install/oddjob/etc/oddjobd.conf.d/oddjobd-ipa-trust.conf b/install/oddjob/etc/oddjobd.conf.d/oddjobd-ipa-trust.conf index bc2e8d191..630a4e6cd 100644 --- a/install/oddjob/etc/oddjobd.conf.d/oddjobd-ipa-trust.conf +++ b/install/oddjob/etc/oddjobd.conf.d/oddjobd-ipa-trust.conf @@ -2,7 +2,7 @@ <oddjobconfig> <service name="com.redhat.idm.trust"> <allow user="root"/> - <allow user="apache"/> + <allow user="ipaapi"/> <object name="/"> <interface name="org.freedesktop.DBus.Introspectable"> <allow min_uid="0" max_uid="0"/> diff --git a/install/share/gssproxy.conf.template b/install/share/gssproxy.conf.template index cb5775de6..fbb158a68 100644 --- a/install/share/gssproxy.conf.template +++ b/install/share/gssproxy.conf.template @@ -6,3 +6,11 @@ allow_protocol_transition = true cred_usage = both euid = $HTTPD_USER + +[service/ipa-api] + mechs = krb5 + cred_store = keytab:$HTTP_KEYTAB + cred_store = client_keytab:$HTTP_KEYTAB + allow_constrained_delegation = true + cred_usage = initiate + euid = $IPAAPI_USER diff --git a/install/share/ipa.conf.tmpfiles b/install/share/ipa.conf.tmpfiles index 3037787da..573139bf2 100644 --- a/install/share/ipa.conf.tmpfiles +++ b/install/share/ipa.conf.tmpfiles @@ -1,2 +1,2 @@ -d /var/run/ipa 0700 root root -d /var/run/ipa/ccaches 0700 apache apache +d /var/run/ipa 0711 root root +d /var/run/ipa/ccaches 0770 ipaapi ipaapi |