[Freeipa-devel] [PATCH] 0001 Provide Kerberos over HTTP (MS-KKDCP)
Christian Heimes
cheimes at redhat.com
Wed Jun 17 19:21:55 UTC 2015
On 2015-06-17 18:09, Nathaniel McCallum wrote:
> On Fri, 2015-06-12 at 17:58 -0400, Adam Young wrote:
>> On 06/12/2015 03:40 PM, Nathaniel McCallum wrote:
>>> It doesn't apply again.
>>>
>>> On Tue, 2015-06-09 at 15:55 +0200, Christian Heimes wrote:
>>>> On 2015-05-27 15:16, Christian Heimes wrote:
>>>>> Hello,
>>>>>
>>>>> here is my first patch for FreeIPA. The patch integrates python
>>>>> -kdcproxy
>>>>> for MS-KKDCP support (aka Kerberos over HTTPS).
>>>>>
>>>>> https://www.freeipa.org/page/V4/KDC_Proxy
>>>>>
>>>>> Ticket: https://fedorahosted.org/freeipa/ticket/4801
>>>> freeipa-cheimes-0001-2-Provide-Kerberos-over-HTTP-MS-KKDCP.patch
>>>> doesn't
>>>> apply anymore. The new patch is based on the current master.
>>>>
>>>> Christian
>>>>
>>>> --
>>>> Manage your subscription for the Freeipa-devel mailing list:
>>>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>>>> Contribute to FreeIPA:
>>>> http://www.freeipa.org/page/Contribute/Code
Thanks Nathaniel,
quick review before I have to leave again. A couple of Red Hatters from
Brno just arrived at the hotel. I'll grab a beer with them.
> I'm reviewing Adam's version of Christian's patch.
>
> * FreeIPA should require python-kdcproxy >= 0.3 considering there are
> lots of fixes related to this project.
We need to package it first, when I'm back from NHO. I've started to
study the packaging docs in the engineering section. Maybe you or
somebody else can walk me through the process next week?
> * KDC Proxy path is not configurable. This probably needs to be noted
> in documentation somewhere when mentioning the default path.
LGTM
> * Has OID 2.16.840.1.113730.3.8.3.28 been officially claimed?
How? I thought 2.16.840.1.113730.3.8.3 is in our own OID space and we
don't have to register it with IANA. Or are you referring to another
registry?
> * There is a new permission: Read IPA Masters KDC Proxy. Is this
> necessary. Can't the config be world-readable and admin writable? There
> is no extra security in hiding this attribute. This also completely
> removes the need for a keytab since anonymous binding can be used. This
> also, I believe, removes the need for a service.
That would make the code simpler and shorter too. I'm +0 on the proposal.
> * The creation of the kdcproxy user is trailed by "exit 0". Why?
https://fedoraproject.org/wiki/Packaging:UsersAndGroups recommends "exit 0".
> * replicainstall.py has trailing whitespace
I'll address it with my next patch.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150617/ead0ca5b/attachment.sig>
More information about the Freeipa-devel
mailing list