From c08296adff58517934b3ea3e4a6581b55fbc2d0c Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Tue, 10 Jan 2012 22:39:26 -0500
Subject: Configure s4u2proxy during installation.

This creates a new container, cn=s4u2proxy,cn=etc,$SUFFIX

Within that container we control which services are allowed to
delegate tickets for other services. Right now that is limited
from the IPA HTTP to ldap services.

Requires a version of mod_auth_kerb that supports s4u2proxy

https://fedorahosted.org/freeipa/ticket/1098
---
 install/conf/ipa.conf | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'install/conf')

diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf
index 72e3e4c01..f256dab4d 100644
--- a/install/conf/ipa.conf
+++ b/install/conf/ipa.conf
@@ -1,5 +1,5 @@
 #
-# VERSION 2 - DO NOT REMOVE THIS LINE
+# VERSION 3 - DO NOT REMOVE THIS LINE
 #
 # LoadModule auth_kerb_module modules/mod_auth_kerb.so
 
@@ -42,6 +42,7 @@ WSGIScriptReloading Off
   SetHandler None
 </Location>
 
+KrbConstrainedDelegationLock ipa
 
 # Protect /ipa with Kerberos
 <Location "/ipa">
@@ -53,6 +54,7 @@ WSGIScriptReloading Off
   KrbAuthRealms $REALM
   Krb5KeyTab /etc/httpd/conf/ipa.keytab
   KrbSaveCredentials on
+  KrbConstrainedDelegation on
   Require valid-user
   ErrorDocument 401 /ipa/errors/unauthorized.html
 </Location>
-- 
cgit