URL: https://github.com/freeipa/freeipa/pull/585
Author: pvomacka
 Title: #585: Remove allow_constrained_delegation from gssproxy.conf
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/585/head:pr585
git checkout pr585
From 51aeaec986dffddd563b24352842a20337a26bce Mon Sep 17 00:00:00 2001
From: Pavel Vomacka <pvoma...@redhat.com>
Date: Tue, 14 Mar 2017 17:44:01 +0100
Subject: [PATCH] Remove allow_constrained_delegation from gssproxy.conf

The Apache process must not allowed to use constrained delegation to
contact services because it is already allowed to impersonate
users to itself. Allowing it to perform constrained delegation would
let it impersonate any user against the LDAP service without authentication.

 install/share/gssproxy.conf.template | 1 -
 1 file changed, 1 deletion(-)

diff --git a/install/share/gssproxy.conf.template b/install/share/gssproxy.conf.template
index d703144..fbb158a 100644
--- a/install/share/gssproxy.conf.template
+++ b/install/share/gssproxy.conf.template
@@ -4,7 +4,6 @@
   cred_store = keytab:$HTTP_KEYTAB
   cred_store = client_keytab:$HTTP_KEYTAB
   allow_protocol_transition = true
-  allow_constrained_delegation = true
   cred_usage = both
   euid = $HTTPD_USER
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to