[Freeipa-devel] [PATCH] 0001 Provide Kerberos over HTTP (MS-KKDCP)
Christian Heimes
cheimes at redhat.com
Tue Jun 23 18:20:15 UTC 2015
On 2015-06-23 19:55, Nathaniel McCallum wrote:
> The behavior I'm worried about here is this:
> 1. Admin installs or updates FreeIPA (w/ kdcproxy)
> 2. Admin disables kdcproxy
> 3. Admin updates to the next version
>
> After step #3, is kdcproxy enabled or disabled? I don't have a clear answer to this (or at least I'm not seeing it).
>
> Other than this, I'm happy. So if we can answer this, it is an ack from me.
That is covered by the check is_kdcproxy_configured(). It checks for the
presence of a file. That file is created during installation or at the
first update.
Let's see if the check works. At first I'm disabling kdcproxy:
# ipa-ldap-updater /usr/share/ipa/kdcproxy-disable.uldif
Parsing update file '/usr/share/ipa/kdcproxy-disable.uldif'
Updating existing entry:
cn=KDC,cn=vm-164.abc.idm.lab.eng.brq.redhat.com,cn=masters,cn=ipa,cn=etc,dc=ipa,dc=example
Done
Update complete
The ipa-ldap-updater command was successful
# systemctl restart httpd.service
# curl https://vm-164.abc.idm.lab.eng.brq.redhat.com/KdcProxy
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /KdcProxy was not found on this server.</p>
</body></html>
# stat /etc/httpd/conf.d/ipa-kdc-proxy.conf
stat: cannot stat ‘/etc/httpd/conf.d/ipa-kdc-proxy.conf’: No such file
or directory
Next I'm running the updater and check the feature again:
# ipa-server-upgrade
...
# systemctl restart httpd.service
# curl https://vm-164.abc.idm.lab.eng.brq.redhat.com/KdcProxy
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /KdcProxy was not found on this server.</p>
</body></html>
# stat /etc/httpd/conf.d/ipa-kdc-proxy.conf
stat: cannot stat ‘/etc/httpd/conf.d/ipa-kdc-proxy.conf’: No such file
or directory
KDC proxy is still disable. Let's enable it and check again.
# ipa-ldap-updater /usr/share/ipa/kdcproxy-enable.uldif
Parsing update file '/usr/share/ipa/kdcproxy-enable.uldif'
Updating existing entry:
cn=KDC,cn=vm-164.abc.idm.lab.eng.brq.redhat.com,cn=masters,cn=ipa,cn=etc,dc=ipa,dc=example
Done
Update complete
The ipa-ldap-updater command was successful
# systemctl restart httpd.service
# curl https://vm-164.abc.idm.lab.eng.brq.redhat.com/KdcProxy
Method not allowed (GET)
# stat /etc/httpd/conf.d/ipa-kdc-proxy.conf
File: ‘/etc/httpd/conf.d/ipa-kdc-proxy.conf’ ->
‘/etc/ipa/kdcproxy/ipa-kdc-proxy.conf’
Size: 36 Blocks: 0 IO Block: 4096 symbolic link
Device: fd01h/64769d Inode: 398238 Links: 1
...
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150623/b61cc923/attachment.sig>
More information about the Freeipa-devel
mailing list