Remove allow_constrained_delegation from gssproxy.conf

The Apache process must not allowed to use constrained delegation to
contact services because it is already allowed to impersonate
users to itself. Allowing it to perform constrained delegation would
let it impersonate any user against the LDAP service without authentication.

https://pagure.io/freeipa/issue/6225

Reviewed-By: Simo Sorce <ssorce@redhat.com>
This commit is contained in:
Pavel Vomacka 2017-03-14 17:44:01 +01:00 committed by Martin Basti
parent 2c194d793c
commit f4cd61f301

View File

@ -4,7 +4,6 @@
cred_store = keytab:$HTTP_KEYTAB
cred_store = client_keytab:$HTTP_KEYTAB
allow_protocol_transition = true
allow_constrained_delegation = true
cred_usage = both
euid = $HTTPD_USER