IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Don't delegate the TGT in ipa-join

Browse Source 
Pre 3.0.0 IPA delegated the TGT to enforce access control in
389-ds. At the point that S4U2Proxy support was added there
were still IPA 2.0.x servers in use so this delegation was
left in place in ipa-join so that enrollment would work.

Those days are long gone, remove that support in the XML and
JSON RPC requests.

https://pagure.io/freeipa/issue/8405

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
This commit is contained in:
Rob Crittenden
2020-07-09 17:40:01 -04:00
parent 04d25dd286
commit 28caa22a8e
1 changed files with 1 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
client/ipa-join.c
View File

@@ -187,13 +187,11 @@ callRPC(char * user_agent,
curlXportParmsP->no_ssl_verifyhost = 0; curlXportParmsP->no_ssl_verifyhost = 0;
curlXportParmsP->cainfo = DEFAULT_CA_CERT_FILE; curlXportParmsP->cainfo = DEFAULT_CA_CERT_FILE;
curlXportParmsP->user_agent = user_agent; curlXportParmsP->user_agent = user_agent;
/* Enable GSSAPI credentials delegation */
curlXportParmsP->gssapi_delegation = 1;
clientparms.transport = "curl"; clientparms.transport = "curl";
clientparms.transportparmsP = (struct xmlrpc_xportparms *) clientparms.transportparmsP = (struct xmlrpc_xportparms *)
curlXportParmsP; curlXportParmsP;
clientparms.transportparm_size = XMLRPC_CXPSIZE(gssapi_delegation); clientparms.transportparm_size = XMLRPC_CXPSIZE(cainfo);
xmlrpc_client_create(envP, XMLRPC_CLIENT_NO_FLAGS, NAME, VERSION, xmlrpc_client_create(envP, XMLRPC_CLIENT_NO_FLAGS, NAME, VERSION,
&clientparms, sizeof(clientparms), &clientparms, sizeof(clientparms),
&clientP); &clientP);
@@ -740,8 +738,6 @@ jsonrpc_request(const char *ipaserver, const json_t *json, curl_buffer *response
CURL_SETOPT(curl, CURLOPT_WRITEFUNCTION, &jsonrpc_handle_response); CURL_SETOPT(curl, CURLOPT_WRITEFUNCTION, &jsonrpc_handle_response);
CURL_SETOPT(curl, CURLOPT_WRITEDATA, response); CURL_SETOPT(curl, CURLOPT_WRITEDATA, response);
/* delegate authentication to GSSAPI */
CURL_SETOPT(curl, CURLOPT_GSSAPI_DELEGATION, CURLGSSAPI_DELEGATION_FLAG);
CURL_SETOPT(curl, CURLOPT_HTTPAUTH, CURLAUTH_NEGOTIATE); CURL_SETOPT(curl, CURLOPT_HTTPAUTH, CURLAUTH_NEGOTIATE);
CURL_SETOPT(curl, CURLOPT_USERPWD, ":"); CURL_SETOPT(curl, CURLOPT_USERPWD, ":");