[Freeipa-devel] Kerberos over HTTPS (KDC proxy)

Petr Vobornik pvoborni at redhat.com
Fri May 22 12:02:19 UTC 2015 

On 05/22/2015 01:17 PM, Christian Heimes wrote:
> On 2015-05-22 13:02, Martin Kosek wrote:
>> The original proposal was to do it globally in cn=config. But if it is
>> about to be stored in the cn=masters, per-replica, this looks as the
>> right way.
>
> My first proposal used cn=ipaConfig,cn=etc because it was the first
> place I found. It took me a bit to find and understand the other
> subtrees in cn=etc. Other developers have pointed me to the cn=masters
> subtree.
>
>> What API did you plan using, for enabling/disabling service? If we go
>> the general IPA service way, should we extend the planned service-* API
>> that Petr Vobornik announced in
>>
>> http://www.redhat.com/archives/freeipa-devel/2015-May/msg00309.html
>>
>> and have command like serverservice-mod ipa.server kdcproxy --enabled=0?
>
> I don't have concrete plans for an enabling/disabling API yet. It's one
> of the questions I have raised at the end of my mail. I'm going to study
> Petr Vobornik's mail now.
>
> In order to disable or enable KDC proxy, the switch in LDAP must be
> switched and Apache must be reloaded or restarted. The WSGI wrapper does
> NOT poll the state of the switch.

Actually the service part of "IPA servers" is not covered in the 
proposal. The proposal just says that it can be added later.

There will be question if it should even be called "services". Maybe 
capabilities would be better term given that KDC Proxy is not a 
standalone service.

>
>
>>> 4) In order to read the state of the switch, the WSGI script needs to be
>>> able to connect to LDAP. I can use Apache's / FreeIPA webui's keytab to
>>> get a ticket for GSSAPI bind. However Apache has no permission to read
>>> ipaConfigStrings in the masters subtree. A new role/permission and ACI
>>> is required here.
>>
>> There is already a permission 'System: Read IPA Masters' and privilege
>> "IPA Masters Readers" defined, in
>> ipaserver/install/plugins/update_managed_permissions.py. Can this be used?
>
> The permission sounds too broad to me. There is probably a reason why
> all ipaConfigStrings entries are read-protected. I really just need
> search (and maybe compare) for ipaConfigString=enabledService.
>
> Thanks for your feedback,
> Christian
>
>


-- 
Petr Vobornik

More information about the Freeipa-devel mailing list