[Freeipa-devel] Management of the CS instances.
Adam Young
ayoung at redhat.com
Fri Jun 17 23:53:12 UTC 2011
On 06/17/2011 06:59 PM, Dmitri Pal wrote:
> Hi,
>
> Before we went too far with implementing the CS decoupling here is a
> stupid idea I have.
>
> We can proceed with the plans described in tickets:
> https://fedorahosted.org/freeipa/ticket/1250
> https://fedorahosted.org/freeipa/ticket/1251
> https://fedorahosted.org/freeipa/ticket/1252
>
> However what we can do is store the CS instance DM password encrypted in
> the main instance.
> Then the management utility (ticket 1250) would first have to fetch this
> encrypted attribute from the main instance.
> We would be able to define ACIs on it and use the kerberos
> authentication against the main instance instead of prompting user for
> the DM password.
> It is a little bit more work but much better and consistent user
> experience and administrative model.
Makes sense at a first pass. I haven't worked that deeply with the CS
stuff to say for sure, but treting the IPA DS as cannonical and thus
giving it the keys to the kingdom seems to be the right call. It all
depends on which (CS or IPA) you want to treat as the most critical to
lock down. I see nothing wrong with keeping IPA in that role.
> What do you think?
>
More information about the Freeipa-devel
mailing list