[Freeipa-devel] [PATCH] 0001 Provide Kerberos over HTTP (MS-KKDCP)
Nathaniel McCallum
npmccallum at redhat.com
Wed Jun 17 19:31:10 UTC 2015
On Wed, 2015-06-17 at 21:21 +0200, Christian Heimes wrote:
> On 2015-06-17 18:09, Nathaniel McCallum wrote:
> > On Fri, 2015-06-12 at 17:58 -0400, Adam Young wrote:
> >> On 06/12/2015 03:40 PM, Nathaniel McCallum wrote:
> >>> It doesn't apply again.
> >>>
> >>> On Tue, 2015-06-09 at 15:55 +0200, Christian Heimes wrote:
> >>>> On 2015-05-27 15:16, Christian Heimes wrote:
> >>>>> Hello,
> >>>>>
> >>>>> here is my first patch for FreeIPA. The patch integrates python
> >>>>> -kdcproxy
> >>>>> for MS-KKDCP support (aka Kerberos over HTTPS).
> >>>>>
> >>>>> https://www.freeipa.org/page/V4/KDC_Proxy
> >>>>>
> >>>>> Ticket: https://fedorahosted.org/freeipa/ticket/4801
> >>>> freeipa-cheimes-0001-2-Provide-Kerberos-over-HTTP-MS-KKDCP.patch
> >>>> doesn't
> >>>> apply anymore. The new patch is based on the current master.
> >>>>
> >>>> Christian
> >>>>
> >>>> --
> >>>> Manage your subscription for the Freeipa-devel mailing list:
> >>>> https://www.redhat.com/mailman/listinfo/freeipa-devel
> >>>> Contribute to FreeIPA:
> >>>> http://www.freeipa.org/page/Contribute/Code
>
> Thanks Nathaniel,
>
> quick review before I have to leave again. A couple of Red Hatters
> from
> Brno just arrived at the hotel. I'll grab a beer with them.
>
> > I'm reviewing Adam's version of Christian's patch.
> >
> > * FreeIPA should require python-kdcproxy >= 0.3 considering there
> are
> > lots of fixes related to this project.
>
> We need to package it first, when I'm back from NHO. I've started to
> study the packaging docs in the engineering section. Maybe you or
> somebody else can walk me through the process next week?
I'm happy to walk you through it. However, it is already built (just
not pushed):
http://koji.fedoraproject.org/koji/packageinfo?packageID=19292
> > * KDC Proxy path is not configurable. This probably needs to be
> noted
> > in documentation somewhere when mentioning the default path.
>
> LGTM
>
> > * Has OID 2.16.840.1.113730.3.8.3.28 been officially claimed?
>
> How? I thought 2.16.840.1.113730.3.8.3 is in our own OID space and we
> don't have to register it with IANA. Or are you referring to another
> registry?
We have our own registry. I can walk you through the details off
-thread.
> > * There is a new permission: Read IPA Masters KDC Proxy. Is this
> > necessary. Can't the config be world-readable and admin writable?
> There
> > is no extra security in hiding this attribute. This also completely
> > removes the need for a keytab since anonymous binding can be used.
> This
> > also, I believe, removes the need for a service.
>
> That would make the code simpler and shorter too. I'm +0 on the
> proposal.
>
>
> > * The creation of the kdcproxy user is trailed by "exit 0". Why?
>
> https://fedoraproject.org/wiki/Packaging:UsersAndGroups recommends "e
> xit 0".
>
>
> > * replicainstall.py has trailing whitespace
>
> I'll address it with my next patch.
>
More information about the Freeipa-devel
mailing list