mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-02-25 18:55:28 -06:00
Remove allow_constrained_delegation from gssproxy.conf
The Apache process must not allowed to use constrained delegation to contact services because it is already allowed to impersonate users to itself. Allowing it to perform constrained delegation would let it impersonate any user against the LDAP service without authentication. https://pagure.io/freeipa/issue/6225 Reviewed-By: Simo Sorce <ssorce@redhat.com>
This commit is contained in:
parent
2c194d793c
commit
f4cd61f301
@ -4,7 +4,6 @@
|
||||
cred_store = keytab:$HTTP_KEYTAB
|
||||
cred_store = client_keytab:$HTTP_KEYTAB
|
||||
allow_protocol_transition = true
|
||||
allow_constrained_delegation = true
|
||||
cred_usage = both
|
||||
euid = $HTTPD_USER
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user