[Freeipa-devel] More types of replicas in FreeIPA
Petr Spacek
pspacek at redhat.com
Thu Feb 14 09:36:32 UTC 2013
On 13.2.2013 20:10, Simo Sorce wrote:
> On Wed, 2013-02-13 at 19:34 +0100, Ondrej Hamada wrote:
>> Dne 13.2.2013 14:36, Simo Sorce napsal(a):
>>> On Tue, 2013-02-12 at 19:30 -0500, Dmitri Pal wrote:
>>>
>>>> It looks like thinks are starting to boil down to building a Kerberos proxy.
>>>> Is this something that fits within your thesis agenda Ondra?
>>> I guess that's for Ondrej to say, if it is too much we can simply start
>>> working on the LDAP/replication side with rekeying and what not, and
>>> deal with the KDC part at a later time.
>>>
>>> Simo.
>>>
>> Working on the LDAP/repl side fits the thesis agenda better, so I would
>> like to go that way.
>>
>> Rekeying - do you mean some sort of plugin for transporting the krb keys
>> from masters to consumers?
>>
>> Besides securing transport of keys what else should be done in ldap?
>> I've only partial replication in my mind - I mean replication of entries
>> selected by some kind of ldap filters.
>
> We would need to re-encrypt keys so that we do not need to hand off to
> remote KDCs the same master key.
> This way a compromise in a branch office replica would not compromise
> the central infrastructure, but only affect the remote branch.
Generally, this feature could be nice for "plain" Kerberos. (I mean some
re-keying integration with classical "kprop" mechanism.)
--
Petr^2 Spacek
More information about the Freeipa-devel
mailing list