7 files changed, 17 insertions, 8 deletions
diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf
index c1b10d035..f0330c544 100644
--- a/install/conf/ipa.conf
+++ b/install/conf/ipa.conf
@@ -1,5 +1,5 @@
 #
-# VERSION 22 - DO NOT REMOVE THIS LINE
+# VERSION 23 - DO NOT REMOVE THIS LINE
 #
 # This file may be overwritten on upgrades.
 #
@@ -42,7 +42,7 @@ WSGISocketPrefix /run/httpd/wsgi
 
 # Configure mod_wsgi handler for /ipa
 WSGIDaemonProcess ipa processes=2 threads=1 maximum-requests=500 \
- display-name=%{GROUP} socket-timeout=2147483647
+ user=ipaapi group=ipaapi display-name=%{GROUP} socket-timeout=2147483647
 WSGIImportScript /usr/share/ipa/wsgi.py process-group=ipa application-group=ipa
 WSGIScriptAlias /ipa /usr/share/ipa/wsgi.py
 WSGIScriptReloading Off
@@ -70,6 +70,7 @@ WSGIScriptReloading Off
   GssapiSessionKey file:/etc/httpd/alias/ipasession.key
 
   GssapiDelegCcacheDir /var/run/ipa/ccaches
+  GssapiDelegCcachePerms mode:0660 gid:ipaapi
   GssapiUseS4U2Proxy on
   GssapiAllowedMech krb5
   Require valid-user
diff --git a/install/oddjob/etc/dbus-1/system.d/oddjob-ipa-trust.conf b/install/oddjob/etc/dbus-1/system.d/oddjob-ipa-trust.conf
index 2e4c1367b..a1955d6b7 100644
--- a/install/oddjob/etc/dbus-1/system.d/oddjob-ipa-trust.conf
+++ b/install/oddjob/etc/dbus-1/system.d/oddjob-ipa-trust.conf
@@ -30,7 +30,7 @@
            send_member="Get"/>
   </policy>
 
-  <policy user="apache">
+  <policy user="ipaapi">
     <allow send_destination="com.redhat.idm.trust"
            send_path="/"
            send_interface="com.redhat.idm.trust"
diff --git a/install/oddjob/etc/dbus-1/system.d/org.freeipa.server.conf b/install/oddjob/etc/dbus-1/system.d/org.freeipa.server.conf
index b2cbf746f..577611f01 100644
--- a/install/oddjob/etc/dbus-1/system.d/org.freeipa.server.conf
+++ b/install/oddjob/etc/dbus-1/system.d/org.freeipa.server.conf
@@ -10,7 +10,7 @@
     <allow send_destination="org.freeipa.server" send_interface="org.freeipa.server"/>
   </policy>
 
-  <policy user="apache">
+  <policy user="ipaapi">
     <allow send_destination="org.freeipa.server" send_interface="org.freeipa.server"/>
   </policy>
 
diff --git a/install/oddjob/etc/oddjobd.conf.d/ipa-server.conf b/install/oddjob/etc/oddjobd.conf.d/ipa-server.conf
index 3f806966b..012e3cbe3 100644
--- a/install/oddjob/etc/oddjobd.conf.d/ipa-server.conf
+++ b/install/oddjob/etc/oddjobd.conf.d/ipa-server.conf
@@ -2,7 +2,7 @@
 <oddjobconfig>
   <service name="org.freeipa.server">
     <allow user="root"/>
-    <allow user="apache"/>
+    <allow user="ipaapi"/>
     <object name="/">
       <interface name="org.freeipa.server">
         <method name="conncheck">
diff --git a/install/oddjob/etc/oddjobd.conf.d/oddjobd-ipa-trust.conf b/install/oddjob/etc/oddjobd.conf.d/oddjobd-ipa-trust.conf
index bc2e8d191..630a4e6cd 100644
--- a/install/oddjob/etc/oddjobd.conf.d/oddjobd-ipa-trust.conf
+++ b/install/oddjob/etc/oddjobd.conf.d/oddjobd-ipa-trust.conf
@@ -2,7 +2,7 @@
 <oddjobconfig>
   <service name="com.redhat.idm.trust">
     <allow user="root"/>
-    <allow user="apache"/>
+    <allow user="ipaapi"/>
     <object name="/">
       <interface name="org.freedesktop.DBus.Introspectable">
         <allow min_uid="0" max_uid="0"/>
diff --git a/install/share/gssproxy.conf.template b/install/share/gssproxy.conf.template
index cb5775de6..fbb158a68 100644
--- a/install/share/gssproxy.conf.template
+++ b/install/share/gssproxy.conf.template
@@ -6,3 +6,11 @@
   allow_protocol_transition = true
   cred_usage = both
   euid = $HTTPD_USER
+
+[service/ipa-api]
+  mechs = krb5
+  cred_store = keytab:$HTTP_KEYTAB
+  cred_store = client_keytab:$HTTP_KEYTAB
+  allow_constrained_delegation = true
+  cred_usage = initiate
+  euid = $IPAAPI_USER
diff --git a/install/share/ipa.conf.tmpfiles b/install/share/ipa.conf.tmpfiles
index 3037787da..573139bf2 100644
--- a/install/share/ipa.conf.tmpfiles
+++ b/install/share/ipa.conf.tmpfiles
@@ -1,2 +1,2 @@
-d /var/run/ipa 0700 root root
-d /var/run/ipa/ccaches 0700 apache apache
+d /var/run/ipa 0711 root root
+d /var/run/ipa/ccaches 0770 ipaapi ipaapi