IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

gssproxy: Don't refresh expired delegated credentials

Browse Source 
`mod_auth_gssapi` exports delegated credentials into `/run/ipa/ccaches`
and pass down that path as `KRB5CCNAME` env variable to WSGI worker.

GSSProxy in turn, protects these credentials from direct usage of
`ipa-api`. But the configuration of `service/ipa-api` (in particular,
'cred_store = client_keytab:/var/lib/ipa/gssproxy/http.keytab') and
default GSS name ('=None') dictates to refresh expired credentials
with the client's keytab overwriting the origin credentials with
initial credentials of keytab's principal.

Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This commit is contained in:
Stanislav Levin 2021-06-10 11:04:21 +03:00 committed by Alexander Bokovoy
parent 0a169b1bea
commit 0ebc59c26d
1 changed files with 0 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
install/share/gssproxy.conf.template
View File

@ -11,7 +11,6 @@
[service/ipa-api] [service/ipa-api]
mechs = krb5 mechs = krb5
cred_store = keytab:$HTTP_KEYTAB cred_store = keytab:$HTTP_KEYTAB
cred_store = client_keytab:$HTTP_KEYTAB
allow_constrained_delegation = true allow_constrained_delegation = true
allow_client_ccache_sync = true allow_client_ccache_sync = true
cred_usage = initiate cred_usage = initiate