mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-28 18:01:23 -06:00
4ee7e4ee6d
This new option (planned to land in gssproxy 0.7) we cache the ldap ticket properly and avoid a ticket lookup to the KDC on each and every ldap connection. (Also requires krb5 libs 1.15.1 to benefit from caching). Ticket: https://pagure.io/freeipa/issue/6771 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
19 lines
519 B
Plaintext
19 lines
519 B
Plaintext
#Installed and maintained by ipa update tools, please do not modify
|
|
[service/ipa-httpd]
|
|
mechs = krb5
|
|
cred_store = keytab:$HTTP_KEYTAB
|
|
cred_store = client_keytab:$HTTP_KEYTAB
|
|
allow_protocol_transition = true
|
|
allow_client_ccache_sync = true
|
|
cred_usage = both
|
|
euid = $HTTPD_USER
|
|
|
|
[service/ipa-api]
|
|
mechs = krb5
|
|
cred_store = keytab:$HTTP_KEYTAB
|
|
cred_store = client_keytab:$HTTP_KEYTAB
|
|
allow_constrained_delegation = true
|
|
allow_client_ccache_sync = true
|
|
cred_usage = initiate
|
|
euid = $IPAAPI_USER
|