mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-24 16:10:02 -06:00
0ebc59c26d
`mod_auth_gssapi` exports delegated credentials into `/run/ipa/ccaches` and pass down that path as `KRB5CCNAME` env variable to WSGI worker. GSSProxy in turn, protects these credentials from direct usage of `ipa-api`. But the configuration of `service/ipa-api` (in particular, 'cred_store = client_keytab:/var/lib/ipa/gssproxy/http.keytab') and default GSS name ('=None') dictates to refresh expired credentials with the client's keytab overwriting the origin credentials with initial credentials of keytab's principal. Signed-off-by: Stanislav Levin <slev@altlinux.org> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
25 lines
623 B
Plaintext
25 lines
623 B
Plaintext
#Installed and maintained by ipa update tools, please do not modify
|
|
[service/ipa-httpd]
|
|
mechs = krb5
|
|
cred_store = keytab:$HTTP_KEYTAB
|
|
cred_store = client_keytab:$HTTP_KEYTAB
|
|
allow_protocol_transition = true
|
|
allow_client_ccache_sync = true
|
|
cred_usage = both
|
|
euid = $HTTPD_USER
|
|
|
|
[service/ipa-api]
|
|
mechs = krb5
|
|
cred_store = keytab:$HTTP_KEYTAB
|
|
allow_constrained_delegation = true
|
|
allow_client_ccache_sync = true
|
|
cred_usage = initiate
|
|
euid = $IPAAPI_USER
|
|
|
|
[service/ipa-sweeper]
|
|
mechs = krb5
|
|
cred_store = keytab:$HTTP_KEYTAB
|
|
socket = $SWEEPER_SOCKET
|
|
euid = $IPAAPI_USER
|
|
cred_usage = initiate
|