Fix client enrollment

Enable GSSAPI credentials delegation in xmlrpc-c/curl to fix client
enrollment. The unconditional GSSAPI was previously dropped from
curl because of CVE-2011-2192.

https://fedorahosted.org/freeipa/ticket/1452
This commit is contained in:
Martin Kosek 2011-08-11 10:42:29 +02:00 committed by Endi S. Dewata
parent bb31d3df21
commit a1c690cc02
2 changed files with 30 additions and 3 deletions

View File

@ -36,8 +36,18 @@ BuildRequires: openldap-devel
BuildRequires: krb5-devel BuildRequires: krb5-devel
BuildRequires: krb5-workstation BuildRequires: krb5-workstation
BuildRequires: libuuid-devel BuildRequires: libuuid-devel
BuildRequires: xmlrpc-c-devel %if 0%{?fedora} >= 16
BuildRequires: libcurl-devel >= 7.21.7-2
BuildRequires: xmlrpc-c-devel >= 1.27.4
%else
%if 0%{?fedora} == 15
BuildRequires: libcurl-devel >= 7.21.3-9
BuildRequires: xmlrpc-c-devel >= 1.25.4
%else
BuildRequires: libcurl-devel BuildRequires: libcurl-devel
BuildRequires: xmlrpc-c-devel
%endif
%endif
BuildRequires: popt-devel BuildRequires: popt-devel
BuildRequires: autoconf BuildRequires: autoconf
BuildRequires: automake BuildRequires: automake
@ -150,7 +160,18 @@ Requires: krb5-workstation
Requires: authconfig Requires: authconfig
Requires: pam_krb5 Requires: pam_krb5
Requires: wget Requires: wget
Requires: xmlrpc-c %if 0%{?fedora} >= 16
Requires: libcurl >= 7.21.7-2
Requires: xmlrpc-c >= 1.27.4
%else
%if 0%{?fedora} == 15
Requires: libcurl >= 7.21.3-9
Requires: xmlrpc-c >= 1.25.4
%else
Requires: libcurl
Requires: xmlrpc-c
%endif
%endif
Requires: sssd >= 1.5.1 Requires: sssd >= 1.5.1
Requires: certmonger >= 0.26 Requires: certmonger >= 0.26
Requires: nss-tools Requires: nss-tools
@ -514,6 +535,10 @@ fi
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/default.conf %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/default.conf
%changelog %changelog
* Thu Aug 11 2011 Martin Kosek <mkosek@redhat.com> - 2.0.90-11
- Set min nvr of xmlrpc-c and libcurl to make sure GSSAPI delegation
support is in
* Tue Aug 2 2011 Endi S. Dewata <edewata@redhat.com> - 2.0.90-10 * Tue Aug 2 2011 Endi S. Dewata <edewata@redhat.com> - 2.0.90-10
- Add *.ico files - Add *.ico files

View File

@ -149,11 +149,13 @@ callRPC(xmlrpc_env * const envP,
curlXportParmsP->no_ssl_verifypeer = 1; curlXportParmsP->no_ssl_verifypeer = 1;
curlXportParmsP->no_ssl_verifyhost = 1; curlXportParmsP->no_ssl_verifyhost = 1;
curlXportParmsP->cainfo = "/etc/ipa/ca.crt"; curlXportParmsP->cainfo = "/etc/ipa/ca.crt";
/* Enable GSSAPI credentials delegation */
curlXportParmsP->gssapi_delegation = 1;
clientparms.transport = "curl"; clientparms.transport = "curl";
clientparms.transportparmsP = (struct xmlrpc_xportparms *) clientparms.transportparmsP = (struct xmlrpc_xportparms *)
curlXportParmsP; curlXportParmsP;
clientparms.transportparm_size = XMLRPC_CXPSIZE(cainfo); clientparms.transportparm_size = XMLRPC_CXPSIZE(gssapi_delegation);
xmlrpc_client_create(envP, XMLRPC_CLIENT_NO_FLAGS, NAME, VERSION, xmlrpc_client_create(envP, XMLRPC_CLIENT_NO_FLAGS, NAME, VERSION,
&clientparms, sizeof(clientparms), &clientparms, sizeof(clientparms),
&clientP); &clientP);