Configure s4u2proxy during installation.

This creates a new container, cn=s4u2proxy,cn=etc,$SUFFIX

Within that container we control which services are allowed to
delegate tickets for other services. Right now that is limited
from the IPA HTTP to ldap services.

Requires a version of mod_auth_kerb that supports s4u2proxy

https://fedorahosted.org/freeipa/ticket/1098

install/conf/ipa.conf

@@ -1,5 +1,5 @@
 #
-# VERSION 2 - DO NOT REMOVE THIS LINE
+# VERSION 3 - DO NOT REMOVE THIS LINE
 #
 # LoadModule auth_kerb_module modules/mod_auth_kerb.so
 
@@ -42,6 +42,7 @@ WSGIScriptReloading Off
   SetHandler None
 </Location>
 
+KrbConstrainedDelegationLock ipa
 
 # Protect /ipa with Kerberos
 <Location "/ipa">
@@ -53,6 +54,7 @@ WSGIScriptReloading Off
   KrbAuthRealms $REALM
   Krb5KeyTab /etc/httpd/conf/ipa.keytab
   KrbSaveCredentials on
+  KrbConstrainedDelegation on
   Require valid-user
   ErrorDocument 401 /ipa/errors/unauthorized.html
 </Location>