Using GSS-Proxy we can increase the security of the solutoin especially for those admins that want to add additional (though unrelated) services to the IPA server.
By deferring the HTTP keytab management to GSS-Proxy and not making it available to the apache process we can avoid a class of local inter-application attacks.
See also https://fedorahosted.org/gss-proxy/ticket/133
The FreeIPA 4.2 was already shaped (see [[milestone:FreeIPA 4.2]] milestone), this does not fit. Pushing out.
If anyone is willing to help and contribute to this one, please let us know!
master:
Metadata Update from @simo: - Issue assigned to someone - Issue set to the milestone: FreeIPA 4.5
Login to comment on this ticket.