[Freeipa-devel] [PATCH] 0001 Provide Kerberos over HTTP (MS-KKDCP)
Nathaniel McCallum
npmccallum at redhat.com
Wed Jun 17 16:09:36 UTC 2015
On Fri, 2015-06-12 at 17:58 -0400, Adam Young wrote:
> On 06/12/2015 03:40 PM, Nathaniel McCallum wrote:
> > It doesn't apply again.
> >
> > On Tue, 2015-06-09 at 15:55 +0200, Christian Heimes wrote:
> > > On 2015-05-27 15:16, Christian Heimes wrote:
> > > > Hello,
> > > >
> > > > here is my first patch for FreeIPA. The patch integrates python
> > > > -kdcproxy
> > > > for MS-KKDCP support (aka Kerberos over HTTPS).
> > > >
> > > > https://www.freeipa.org/page/V4/KDC_Proxy
> > > >
> > > > Ticket: https://fedorahosted.org/freeipa/ticket/4801
> > > freeipa-cheimes-0001-2-Provide-Kerberos-over-HTTP-MS-KKDCP.patch
> > > doesn't
> > > apply anymore. The new patch is based on the current master.
> > >
> > > Christian
> > >
> > > --
> > > Manage your subscription for the Freeipa-devel mailing list:
> > > https://www.redhat.com/mailman/listinfo/freeipa-devel
> > > Contribute to FreeIPA:
> > > http://www.freeipa.org/page/Contribute/Code
I'm reviewing Adam's version of Christian's patch.
* FreeIPA should require python-kdcproxy >= 0.3 considering there are
lots of fixes related to this project.
* KDC Proxy path is not configurable. This probably needs to be noted
in documentation somewhere when mentioning the default path.
* Has OID 2.16.840.1.113730.3.8.3.28 been officially claimed?
* There is a new permission: Read IPA Masters KDC Proxy. Is this
necessary. Can't the config be world-readable and admin writable? There
is no extra security in hiding this attribute. This also completely
removes the need for a keytab since anonymous binding can be used. This
also, I believe, removes the need for a service.
* The creation of the kdcproxy user is trailed by "exit 0". Why?
* replicainstall.py has trailing whitespace
Nathaniel
More information about the Freeipa-devel
mailing list