[Freeipa-devel] Session design document
Rob Crittenden
rcritten at redhat.com
Fri Dec 2 14:46:10 UTC 2011
Simo Sorce wrote:
> On Fri, 2011-12-02 at 08:22 -0500, Rob Crittenden wrote:
>> Simo Sorce wrote:
>>> On Wed, 2011-11-30 at 17:33 -0500, John Dennis wrote:
>>>> Comments? Suggestions?
>>>>
>>> Sorry for the late reply.
>>>
>>> First of all, excellent write-up John, it is very comprehensive and lays
>>> down things very clearly.
>>>
>>> I agree that using ipa:ipa for memcached and wsgi would be a better
>>> proposition for us. Although we need to explore how this would affect
>>> credential caches created by mod_auth_kerb and our ability to use them,
>>> which is crucial*.
>>
>> The krb ccache will not be readable by ipa:ipa.
>
> I feared that, although maybe we can do some trick with default ACLs to
> make them readable to the 'ipa' user.
> Do we have the option to re-implement SPNEGO in python and stop using
> mod_auth_kerb ?
>
> Simo.
>
We last looked at this way back in early v1 so it may be possible now,
it wasn't then. This would be a long-term effort.
Whatever we do we definitely don't want 389-ds to be running as the same
user as the ipa framework. Breaking into the web server via our app
would mean filesystem access to the raw LDAP database.
rob
More information about the Freeipa-devel
mailing list