[Freeipa-devel] Kerberos over HTTPS (KDC proxy)
Christian Heimes
cheimes at redhat.com
Fri May 22 11:17:35 UTC 2015
On 2015-05-22 13:02, Martin Kosek wrote:
> The original proposal was to do it globally in cn=config. But if it is
> about to be stored in the cn=masters, per-replica, this looks as the
> right way.
My first proposal used cn=ipaConfig,cn=etc because it was the first
place I found. It took me a bit to find and understand the other
subtrees in cn=etc. Other developers have pointed me to the cn=masters
subtree.
> What API did you plan using, for enabling/disabling service? If we go
> the general IPA service way, should we extend the planned service-* API
> that Petr Vobornik announced in
>
> http://www.redhat.com/archives/freeipa-devel/2015-May/msg00309.html
>
> and have command like serverservice-mod ipa.server kdcproxy --enabled=0?
I don't have concrete plans for an enabling/disabling API yet. It's one
of the questions I have raised at the end of my mail. I'm going to study
Petr Vobornik's mail now.
In order to disable or enable KDC proxy, the switch in LDAP must be
switched and Apache must be reloaded or restarted. The WSGI wrapper does
NOT poll the state of the switch.
>> 4) In order to read the state of the switch, the WSGI script needs to be
>> able to connect to LDAP. I can use Apache's / FreeIPA webui's keytab to
>> get a ticket for GSSAPI bind. However Apache has no permission to read
>> ipaConfigStrings in the masters subtree. A new role/permission and ACI
>> is required here.
>
> There is already a permission 'System: Read IPA Masters' and privilege
> "IPA Masters Readers" defined, in
> ipaserver/install/plugins/update_managed_permissions.py. Can this be used?
The permission sounds too broad to me. There is probably a reason why
all ipaConfigStrings entries are read-protected. I really just need
search (and maybe compare) for ipaConfigString=enabledService.
Thanks for your feedback,
Christian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150522/c6bfb53a/attachment.sig>
More information about the Freeipa-devel
mailing list