freeipa/install
Alexander Bokovoy ee7dfc3d29 Allow mod_auth_gssapi to create and access ccaches in /run/ipa/ccaches
With commit c6644b8566 we default to
create unique credential caches in /run/ipa/ccaches for every client
that connects to IPA with a new session. On F34, mod_auth_gssapi process
running as 'apache' cannot create the ccache in /run/ipa/ccaches because
it has no access rights.

The core of the problem is that we have two different paths to obtaining
a ccache: one where 'apache' running httpd process creates it directly
and one where an internal redirect from 'ipaapi' running httpd process
is happening.

Use SUID and SGID to 'ipaapi'/'ipaapi' and allow 'apache' group to write
to '/run/ipa/ccaches'. This fixes the problem.

Note that we cannot completely remove 'GssapiDelegCcachePerms'. If we'd
do so, mod_auth_gssapi will do redirects and fail.

Fixes: https://pagure.io/freeipa/issue/8613

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2020-12-10 13:47:16 +02:00
..
certmonger Improve performance of ipa-server-guard 2020-08-19 13:59:11 -04:00
custodia Replace PYTHONSHEBANG with valid shebang 2019-06-24 09:35:57 +02:00
html Don't fully quality the FQDN in ssbrowser.html for Chrome 2020-02-18 09:15:57 -05:00
migration Use new LDAPClient constructors 2019-02-05 08:39:13 -05:00
oddjob trust-add: Catch correct exception when chown SSSD 2020-09-26 10:41:32 +03:00
restart_scripts Don't create log files from help scripts 2019-09-24 15:23:30 +02:00
share Allow mod_auth_gssapi to create and access ccaches in /run/ipa/ccaches 2020-12-10 13:47:16 +02:00
tools Generate a unique cache for each connection 2020-12-03 16:57:01 -05:00
ui Accept 389-ds JSON replication status messages 2020-12-01 08:45:07 +01:00
updates Accept 389-ds JSON replication status messages 2020-12-01 08:45:07 +01:00
wsgi wgi/plugins.py: ignore empty plugin directories 2020-11-06 16:38:37 -05:00
Makefile.am Move Custodia secrets handler to scripts 2019-04-26 12:09:22 +02:00
README.schema Add some basic rules for adding new schema 2010-08-27 13:40:37 -04:00

Ground rules on adding new schema

Brand new schema, particularly when written specifically for IPA, should be
added in share/*.ldif. Any new files need to be explicitly loaded in
ipaserver/install/dsinstance.py. These simply get copied directly into
the new instance schema directory.

Existing schema (e.g. in an LDAP draft) may either be added as a separate
ldif in share or as an update in the updates directory. The advantage of
adding the schema as an update is if 389-ds ever adds the schema then the
installation won't fail due to existing schema failing to load during
bootstrap.

If the new schema requires a new container then this should be added
to install/bootstrap-template.ldif.