[Freeipa-devel] [PATCH] 0001 Provide Kerberos over HTTP (MS-KKDCP)
Christian Heimes
cheimes at redhat.com
Mon Jun 22 16:16:06 UTC 2015
On 2015-06-22 16:22, Nathaniel McCallum wrote:
> On Mon, 2015-06-22 at 10:10 -0400, Simo Sorce wrote:
>> On Mon, 2015-06-22 at 10:01 -0400, Nathaniel McCallum wrote:
>>> I'd still prefer a user mapping to managing a keytab. This patch is
>>> just way too complex for what it does.
>>
>> User mapping ?
>
> EXTERNAL bind
Nathaniel, Simo and I had a discussion on #ipa. Eventually our combined
brains came up with a simpler solution, that is good enough for now. The
new proposal does neither need a keytab nor a new permission. It even
removes necessity for a shim module.
The WSGI config file for Apache is moved to a different location (e.g.
/etc/ipa/ipa-kdc-proxy.conf). I have to check SELinux rules to find a
proper location.
An additional ExecStartPre script is hooked into httpd.service instead.
The script reads the status of the flag from LDAP. If kdcproxy is
enabled, it symlinks the WSGI config file to
/etc/httpd/conf.d/ipa-kdc-proxy.conf. Otherwise it removes the symlink.
When the file is not a symlink or doesn't point to
/etc/ipa/ipa-kdc-proxy.conf, then the script only print a warning. The
file is neither replaced nor removed.
Because systemd scripts run as root, the ExecStartPre script can use
EXTERNAL bind over ldapi to access 389 DS. The root user is mapped to
the Directory Manager user, which is allowed to read all entries in the
cn=masters,cn=ipa,cn=etc subtree. That way the script does neither need
a keytab nor an additional permission.
With the ExecStartPre we don't lose any functionality. When the config
file is not symlinked, Apache responds with a 404 (just like before).
Apache must be reloaded, before a new setting becomes effective (just
like before).
Christian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150622/9b391a8c/attachment.sig>
More information about the Freeipa-devel
mailing list