[Freeipa-devel] [PATCH] 0001 Provide Kerberos over HTTP (MS-KKDCP)
Christian Heimes
cheimes at redhat.com
Mon Jun 22 13:49:51 UTC 2015
On 2015-06-17 18:09, Nathaniel McCallum wrote:
> * There is a new permission: Read IPA Masters KDC Proxy. Is this
> necessary. Can't the config be world-readable and admin writable? There
> is no extra security in hiding this attribute. This also completely
> removes the need for a keytab since anonymous binding can be used. This
> also, I believe, removes the need for a service.
I brought up your suggestion in today's IPA devel meeting. Simo
explained that anonymous binding might not be available. Some customers
disable it on their systems. I'd have to find yet another way to
authenticate, e.g. using the user account. That would only work locally,
though.
Let's go ahead with my current approach. It's implemented and I have
tested upgrade and refresh installation a couple of times, too.
Christian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150622/db45bc15/attachment.sig>
More information about the Freeipa-devel
mailing list