summaryrefslogtreecommitdiffstats
path: root/install/share/gssproxy.conf.template
Commit message (Collapse)AuthorAgeFilesLines
* Add options to allow ticket cachingSimo Sorce2017-03-161-0/+2
| | | | | | | | | | | | This new option (planned to land in gssproxy 0.7) we cache the ldap ticket properly and avoid a ticket lookup to the KDC on each and every ldap connection. (Also requires krb5 libs 1.15.1 to benefit from caching). Ticket: https://pagure.io/freeipa/issue/6771 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
* Remove allow_constrained_delegation from gssproxy.confPavel Vomacka2017-03-141-1/+0
| | | | | | | | | | | The Apache process must not allowed to use constrained delegation to contact services because it is already allowed to impersonate users to itself. Allowing it to perform constrained delegation would let it impersonate any user against the LDAP service without authentication. https://pagure.io/freeipa/issue/6225 Reviewed-By: Simo Sorce <ssorce@redhat.com>
* Support certificate login after installation and upgradePavel Vomacka2017-03-141-0/+1
| | | | | | | | | | | | Add necessary steps which set SSSD and set SELinux boolean during installation or upgrade. Also create new endpoint in apache for login using certificates. https://pagure.io/freeipa/issue/6225 Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: David Kupka <dkupka@redhat.com>
* Add a new user to run the framework codeSimo Sorce2017-02-151-0/+8
| | | | | | | | | | | | | | | | | Add the apache user the ipawebui group. Make the ccaches directory owned by the ipawebui group and make mod_auth_gssapi write the ccache files as r/w by the apache user and the ipawebui group. Fix tmpfiles creation ownership and permissions to allow the user to access ccaches files. The webui framework now works as a separate user than apache, so the certs used to access the dogtag instance need to be usable by this new user as well. Both apache and the webui user are in the ipawebui group, so use that. https://fedorahosted.org/freeipa/ticket/5959 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
* Configure HTTPD to work via Gss-ProxySimo Sorce2017-02-151-0/+8
https://fedorahosted.org/freeipa/ticket/4189 https://fedorahosted.org/freeipa/ticket/5959 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>
generated by cgit (git 2.34.1) at 2026-01-05 21:46:41 +0000