[Freeipa-devel] Kerberos over HTTPS (KDC proxy)
Christian Heimes
cheimes at redhat.com
Tue May 26 14:17:15 UTC 2015
On 2015-05-26 15:57, Nathaniel McCallum wrote:
> /KdcProxy
>
> "The URI uses the virtual directory /KdcProxy unless otherwise
> configured."
>
> https://msdn.microsoft.com/en-us/library/hh553891.aspx
>
> Also, the proxy should be available over both HTTP and HTTPS.
Easy-peasy! I'm using /KdcProxy already and the default configuration
allows HTTP and HTTPS requests.
> I prefer enabled by default unless there is some performance or
> security consideration. Mere proxying isn't a security consideration
> since we already expose the KDC by default.
My latest patch enables the proxy by default.
> This is, indeed, a security problem. Do we have a strong use case for
> per-replica control? If not, let's just do a single global control
> since we can easily make this globally readable.
Martin and Petr both suggested per-replica configuration of the new
feature. Petr has argued it is a future-proof design. It will make
containerization of FreeIPA simpler as no schema change is required later.
Christian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150526/09a880fe/attachment.sig>
More information about the Freeipa-devel
mailing list