mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-25 16:31:08 -06:00
0ebc59c26d
`mod_auth_gssapi` exports delegated credentials into `/run/ipa/ccaches`
and pass down that path as `KRB5CCNAME` env variable to WSGI worker.
GSSProxy in turn, protects these credentials from direct usage of
`ipa-api`. But the configuration of `service/ipa-api` (in particular,
'cred_store = client_keytab:/var/lib/ipa/gssproxy/http.keytab') and
default GSS name ('=None') dictates to refresh expired credentials
with the client's keytab overwriting the origin credentials with
initial credentials of keytab's principal.
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
25 lines
623 B
Plaintext
25 lines
623 B
Plaintext
#Installed and maintained by ipa update tools, please do not modify
|
|
[service/ipa-httpd]
|
|
mechs = krb5
|
|
cred_store = keytab:$HTTP_KEYTAB
|
|
cred_store = client_keytab:$HTTP_KEYTAB
|
|
allow_protocol_transition = true
|
|
allow_client_ccache_sync = true
|
|
cred_usage = both
|
|
euid = $HTTPD_USER
|
|
|
|
[service/ipa-api]
|
|
mechs = krb5
|
|
cred_store = keytab:$HTTP_KEYTAB
|
|
allow_constrained_delegation = true
|
|
allow_client_ccache_sync = true
|
|
cred_usage = initiate
|
|
euid = $IPAAPI_USER
|
|
|
|
[service/ipa-sweeper]
|
|
mechs = krb5
|
|
cred_store = keytab:$HTTP_KEYTAB
|
|
socket = $SWEEPER_SOCKET
|
|
euid = $IPAAPI_USER
|
|
cred_usage = initiate
|