[Freeipa-devel] [freeipa PR#585][comment] Remove allow_constrained_delegation from gssproxy.conf
simo5
freeipa-github-notification at redhat.com
Tue Mar 14 16:54:57 UTC 2017
URL: https://github.com/freeipa/freeipa/pull/585
Title: #585: Remove allow_constrained_delegation from gssproxy.conf
simo5 commented:
"""
Please change commit message to:
The Apache process *must* not allowed to use constrained delegation to contact services because it is already allowed to impersonate users to itself. Allowing it to perform constrained delegation would let it impersonate any user against the LDAP service without authentication.
"""
See the full comment at https://github.com/freeipa/freeipa/pull/585#issuecomment-286486668
More information about the Freeipa-devel
mailing list