IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Fix s4u2proxy README and add warning

Browse Source 
The attribute mentioned was using an older name that was later changed
in the implementation.
Also add a prominent warning about the use of the kadmin flags.

Reviewed-by: Rob Crittenden <rcritten@redhat.com>
This commit is contained in:
Simo Sorce
2015-06-08 14:16:56 -04:00
parent eb959221e1
commit f530886193
1 changed files with 14 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
daemons/ipa-kdb/README.s4u2proxy.txt
View File

@@ -31,7 +31,7 @@ principals that are being considered proxies[1]. That is: the
principals of the services that want to impersonate client principals principals of the services that want to impersonate client principals
against other services. against other services.
The ipaAllowedToImpersonate must point to a groupOfPrincipal based The ipaAllowToImpersonate must point to a groupOfPrincipal based
object that contains the list of client principals (normally these are object that contains the list of client principals (normally these are
user principals) that can be impersonated by this service. user principals) that can be impersonated by this service.
If the attribute is missing than the service is allowed to impersonate If the attribute is missing than the service is allowed to impersonate
@@ -46,7 +46,7 @@ order to allow a service to access it impersonating another principal.
At the moment no wildcarding is implemented so services have to be At the moment no wildcarding is implemented so services have to be
explicitly listed in their respective groups. explicitly listed in their respective groups.
I have some idea of adding wildcard support at least for the I have some idea of adding wildcard support at least for the
ipaAllowedToImpersonate group in order to separate user principals by ipaAllowToImpersonate group in order to separate user principals by
REALM. So you can say all users of REALM1 can be impersonated by this REALM. So you can say all users of REALM1 can be impersonated by this
service but no users of REALM2. service but no users of REALM2.
@@ -94,6 +94,15 @@ This is done with:
kdamin.local kdamin.local
modprinc +ok_to_auth_as_delegate HTTP/ipaserver.example.com modprinc +ok_to_auth_as_delegate HTTP/ipaserver.example.com
NOTE: Do not grant +ok_to_auth_as_delegate in production without
carefully considering the outcome. This flags grants a service the
ability to impersonate any user to itself, which, combined with the
permission to proxy, means it will be allowed to impersonate any user
to the target service w/o any explicit user permission/delegation.
This flag is *NOT* necessary to permit proxying, it is used in this
example only because the kvno utility is hardwired to test both s4u2self
and s4u2proxy at the same time and would fail to operate without it.
Then run kvno as follows: Then run kvno as follows:
# Init credntials as HTTP # Init credntials as HTTP
@@ -110,6 +119,9 @@ ldap/ipaserver.example.com
If this works it means you successfully impersonated the admin user with If this works it means you successfully impersonated the admin user with
the HTTP service against the ldap service. the HTTP service against the ldap service.
Cleanup by removing the self-impersonation flag:
modprinc -ok_to_auth_as_delegate HTTP/ipaserver.example.com
Simo. Simo.