[Freeipa-devel] [PATCH] s4u2proxy support

[Rob Crittenden]

This patch adds support for s4u2proxy. This means that the Apache server 
will obtain the ldap service ticket on behalf of the user rather than 
the using having to send their TGT. The user's ticket still needs to be 
forwardable, we just don't require it to be forwarded any more.

This patch has a slew of dependencies that aren't yet marked in the spec 
file. You'll need the latest krb5-server bits from the ipa-devel repo. I 
don't think they are fully finalized yet which is why I didn't update 
the spec.

A new version of mod_auth_kerb is required as well. I'm in the process 
of submitting these upstream but for now you can grab the srpm from 
http://rcritten.fedorapeople.org/mod_auth_kerb-5.4-8.fc15.ipa.src.rpm

To test, you just need to install IPA as normal. Nothing should change 
from the user's perspective.

Behind the scenes you'll see that Apache gets a ccache for itself in 
/tmp/krb5cc_## where ## is the uid of the apache user (48 on my box).

Using this ccache Apache will get an ldap service ticket on the user's 
behalf. The krb5kdc log will look something like:

Dec 12 15:05:41 rawhide.example.com krb5kdc[18144](info): ... 
CONSTRAINED-DELEGATION s4u-client=admin at EXAMPLE.COM

If you set LogLevel debug in /etc/httpd/conf.d/nss.conf you'll see a 
whole lot of extra detail in the Apache error log.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-rcrit-914-nodelegation.patch
Type: text/x-patch
Size: 986 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111212/a600d91d/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-rcrit-915-s2u4proxy.patch
Type: text/x-patch
Size: 4316 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20111212/a600d91d/attachment-0001.bin>