Discussion:
[Freeipa-devel] [freeipa PR#585][opened] Remove allow_constrained_delegation from gssproxy.conf
pvomacka
2017-03-14 16:47:24 UTC
Permalink
URL: https://github.com/freeipa/freeipa/pull/585
Author: pvomacka
Title: #585: Remove allow_constrained_delegation from gssproxy.conf
Action: opened

PR body:
"""
This change reverts option which breaks priviledge separation.

https://pagure.io/freeipa/issue/6225
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/585/head:pr585
git checkout pr585
pvomacka
2017-03-14 16:56:32 UTC
Permalink
URL: https://github.com/freeipa/freeipa/pull/585
Author: pvomacka
Title: #585: Remove allow_constrained_delegation from gssproxy.conf
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/585/head:pr585
git checkout pr585
simo5
2017-03-14 16:54:57 UTC
Permalink
URL: https://github.com/freeipa/freeipa/pull/585
Title: #585: Remove allow_constrained_delegation from gssproxy.conf

simo5 commented:
"""
Please change commit message to:

The Apache process *must* not allowed to use constrained delegation to contact services because it is already allowed to impersonate users to itself. Allowing it to perform constrained delegation would let it impersonate any user against the LDAP service without authentication.
"""

See the full comment at https://github.com/freeipa/freeipa/pull/585#issuecomment-286486668
pvomacka
2017-03-14 16:58:48 UTC
Permalink
URL: https://github.com/freeipa/freeipa/pull/585
Author: pvomacka
Title: #585: Remove allow_constrained_delegation from gssproxy.conf
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/585/head:pr585
git checkout pr585
simo5
2017-03-14 16:59:51 UTC
Permalink
URL: https://github.com/freeipa/freeipa/pull/585
Title: #585: Remove allow_constrained_delegation from gssproxy.conf

Label: +ack
MartinBasti
2017-03-14 17:56:33 UTC
Permalink
URL: https://github.com/freeipa/freeipa/pull/585
Title: #585: Remove allow_constrained_delegation from gssproxy.conf

Label: +pushed
MartinBasti
2017-03-14 17:56:35 UTC
Permalink
URL: https://github.com/freeipa/freeipa/pull/585
Author: pvomacka
Title: #585: Remove allow_constrained_delegation from gssproxy.conf
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/585/head:pr585
git checkout pr585
MartinBasti
2017-03-14 17:56:34 UTC
Permalink
URL: https://github.com/freeipa/freeipa/pull/585
Title: #585: Remove allow_constrained_delegation from gssproxy.conf

MartinBasti commented:
"""
master:

* f4cd61f3011877fc9cc2a809438059b07362b0aa Remove allow_constrained_delegation from gssproxy.conf
"""

See the full comment at https://github.com/freeipa/freeipa/pull/585#issuecomment-286506677
Loading...