[Freeipa-devel] Kerberos over HTTPS (KDC proxy)
Martin Kosek
mkosek at redhat.com
Tue May 26 14:24:03 UTC 2015
On 05/26/2015 04:17 PM, Christian Heimes wrote:
> On 2015-05-26 15:57, Nathaniel McCallum wrote:
>> /KdcProxy
>>
>> "The URI uses the virtual directory /KdcProxy unless otherwise
>> configured."
>>
>> https://msdn.microsoft.com/en-us/library/hh553891.aspx
>>
>> Also, the proxy should be available over both HTTP and HTTPS.
>
> Easy-peasy! I'm using /KdcProxy already and the default configuration
> allows HTTP and HTTPS requests.
Just make sure it works with the IPA might https rewrite rule:
# Redirect to the secure port if not displaying an error or retrieving
# configuration.
RewriteCond %{SERVER_PORT} !^443$$
RewriteCond %{REQUEST_URI} !^/ipa/(errors|config|crl)
RewriteCond %{REQUEST_URI}
!^/ipa/[^\?]+(\.js|\.css|\.png|\.gif|\.ico|\.woff|\.svg|\.ttf|\.eot)$$
RewriteRule ^/ipa/(.*) https://$FQDN/ipa/$$1 [L,R=301,NC]
>
>> I prefer enabled by default unless there is some performance or
>> security consideration. Mere proxying isn't a security consideration
>> since we already expose the KDC by default.
>
> My latest patch enables the proxy by default.
>
>> This is, indeed, a security problem. Do we have a strong use case for
>> per-replica control? If not, let's just do a single global control
>> since we can easily make this globally readable.
>
> Martin and Petr both suggested per-replica configuration of the new
> feature. Petr has argued it is a future-proof design. It will make
> containerization of FreeIPA simpler as no schema change is required later.
I discussed this briefly with Nathaniel, if this is sufficiently easy/doable, I
am fine with it. If not, then adding the global control may be the way for
FreeIPA 4.2 GA and implement the per-replica control later.
More information about the Freeipa-devel
mailing list