URL: https://github.com/freeipa/freeipa/pull/585
Title: #585: Remove allow_constrained_delegation from gssproxy.conf

simo5 commented:
Please change commit message to:

The Apache process *must* not allowed to use constrained delegation to contact 
services because it is already allowed to impersonate users to itself. Allowing 
it to perform constrained delegation would let it impersonate any user against 
the LDAP service without authentication.

See the full comment at 
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to