[Freeipa-devel] Kerberos over HTTPS (KDC proxy)

Christian Heimes cheimes at redhat.com
Wed May 27 11:33:04 UTC 2015 

On 2015-05-27 11:59, Martin Kosek wrote:
> On 05/27/2015 11:53 AM, Alexander Bokovoy wrote:
>> On Wed, 27 May 2015, Martin Kosek wrote:
>>> On 05/26/2015 05:40 PM, Jan Cholasta wrote:
>>>> Dne 22.5.2015 v 12:24 Christian Heimes napsal(a):
>>> ...
>>>>> Finally I haven't figured out the best way to configure the instance. An
>>>>> admin should be able to enable / disable KDC proxy. Should I write a
>>>>> script or a ipa plugin for the job?
>>>>
>>>> A script, ipa-kdcproxy-install, if you want to be consistent with what's
>>>> already there.
>>>
>>> I thought we wanted to install it by default and only switch it on/off via
>>> configuration in LDAP. In that case, no ipa-*-install should be needed.
>> As with any other feature which requires configuration of other
>> components, if it wasn't installed before, you need to make sure you are
>> able to configure it over upgraded instance. Not providing
>> ipa-kdcproxy-install would mean you are not supporting an upgrade case.
> 
> I do not disagree with the approach for optional components. But as I wrote
> above, this was supposed to be configured everywhere by default - both on new
> and upgraded installations.
> 
> AFAIK, it is mostly just one config for Apache and wsgi script.

Yes, it is really just one boolean switch (service enabled/disabled).
The state of the switch is read when Apache is started or reloaded. In
the default state KDC Proxy is enabled. When the service is disabled,
the WSGI script replies with 404 instead. All remaining settings like
kdc, kadmin and kpasswd server(s) are read from /etc/krb5.conf.

I had both the per-replica and the global switch implemented. After I
discussion with Nathaniel and Martin, it's now a global switch only.
Nathaniel argued, that a global switch is easier to implement as well as
sufficient for now.

The state of the switch is controlled with ipa config-mod:

  ipa config-mod --enable-kdcproxy=TRUE
  ipa config-mod --enable-kdcproxy=FALSE

The schema changes for the new attribute are handled by
ipa-server-upgrade. The Apache config file is created
ipa-server-install, ipa-replica-install and ipa-server-upgrade.

Christian

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150527/86013d5c/attachment.sig>

More information about the Freeipa-devel mailing list