mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-23 15:40:01 -06:00
gssproxy: Don't refresh expired delegated credentials
`mod_auth_gssapi` exports delegated credentials into `/run/ipa/ccaches` and pass down that path as `KRB5CCNAME` env variable to WSGI worker. GSSProxy in turn, protects these credentials from direct usage of `ipa-api`. But the configuration of `service/ipa-api` (in particular, 'cred_store = client_keytab:/var/lib/ipa/gssproxy/http.keytab') and default GSS name ('=None') dictates to refresh expired credentials with the client's keytab overwriting the origin credentials with initial credentials of keytab's principal. Signed-off-by: Stanislav Levin <slev@altlinux.org> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This commit is contained in:
parent
0a169b1bea
commit
0ebc59c26d
@ -11,7 +11,6 @@
|
||||
[service/ipa-api]
|
||||
mechs = krb5
|
||||
cred_store = keytab:$HTTP_KEYTAB
|
||||
cred_store = client_keytab:$HTTP_KEYTAB
|
||||
allow_constrained_delegation = true
|
||||
allow_client_ccache_sync = true
|
||||
cred_usage = initiate
|
||||
|
Loading…
Reference in New Issue
Block a user