Configure s4u2proxy during installation.

This creates a new container, cn=s4u2proxy,cn=etc,$SUFFIX Within that container we control which services are allowed to delegate tickets for other services. Right now that is limited from the IPA HTTP to ldap services. Requires a version of mod_auth_kerb that supports s4u2proxy https://fedorahosted.org/freeipa/ticket/1098
2025-02-25 18:55:28 -06:00 · 2012-01-10 22:39:26 -05:00
parent 74857a8ee4
commit c08296adff
6 changed files with 51 additions and 2 deletions
--- a/install/updates/30-s4u2proxy.update
+++ b/install/updates/30-s4u2proxy.update
@@ -0,0 +1,18 @@
+dn: cn=s4u2proxy,cn=etc,$SUFFIX
+default: objectClass: nsContainer
+default: objectClass: top
+default: cn: s4u2proxy
+
+dn: cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,$SUFFIX
+default: objectClass: ipaKrb5DelegationACL
+default: objectClass: groupOfPrincipals
+default: objectClass: top
+default: cn: ipa-http-delegation
+default: memberPrincipal: HTTP/$HOST@$REALM
+default: ipaAllowedTarget: 'cn=ipa-ldap-delegation-targets,cn=etc,$SUFFIX'
+
+dn: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX
+default: objectClass: groupOfPrincipals
+default: objectClass: top
+default: cn: ipa-ldap-delegation-targets
+default: memberPrincipal: ldap/$HOST@$REALM
--- a/install/updates/Makefile.am
+++ b/install/updates/Makefile.am
@@ -18,6 +18,7 @@ app_DATA =				\
 	20-user_private_groups.update	\
 	20-winsync_index.update		\
 	21-replicas_container.update	\
+	30-s4u2proxy.update		\
 	40-delegation.update		\
 	40-dns.update			\
 	40-automember.update		\