[Freeipa-devel] Kerberos over HTTPS (KDC proxy)

Martin Kosek mkosek at redhat.com
Wed May 27 11:34:39 UTC 2015 

On 05/27/2015 01:33 PM, Christian Heimes wrote:
> On 2015-05-27 11:59, Martin Kosek wrote:
>> On 05/27/2015 11:53 AM, Alexander Bokovoy wrote:
>>> On Wed, 27 May 2015, Martin Kosek wrote:
>>>> On 05/26/2015 05:40 PM, Jan Cholasta wrote:
>>>>> Dne 22.5.2015 v 12:24 Christian Heimes napsal(a):
>>>> ...
>>>>>> Finally I haven't figured out the best way to configure the instance. An
>>>>>> admin should be able to enable / disable KDC proxy. Should I write a
>>>>>> script or a ipa plugin for the job?
>>>>>
>>>>> A script, ipa-kdcproxy-install, if you want to be consistent with what's
>>>>> already there.
>>>>
>>>> I thought we wanted to install it by default and only switch it on/off via
>>>> configuration in LDAP. In that case, no ipa-*-install should be needed.
>>> As with any other feature which requires configuration of other
>>> components, if it wasn't installed before, you need to make sure you are
>>> able to configure it over upgraded instance. Not providing
>>> ipa-kdcproxy-install would mean you are not supporting an upgrade case.
>>
>> I do not disagree with the approach for optional components. But as I wrote
>> above, this was supposed to be configured everywhere by default - both on new
>> and upgraded installations.
>>
>> AFAIK, it is mostly just one config for Apache and wsgi script.
> 
> Yes, it is really just one boolean switch (service enabled/disabled).
> The state of the switch is read when Apache is started or reloaded. In
> the default state KDC Proxy is enabled. When the service is disabled,
> the WSGI script replies with 404 instead. All remaining settings like
> kdc, kadmin and kpasswd server(s) are read from /etc/krb5.conf.
> 
> I had both the per-replica and the global switch implemented. After I
> discussion with Nathaniel and Martin, it's now a global switch only.
> Nathaniel argued, that a global switch is easier to implement as well as
> sufficient for now.
> 
> The state of the switch is controlled with ipa config-mod:
> 
>   ipa config-mod --enable-kdcproxy=TRUE
>   ipa config-mod --enable-kdcproxy=FALSE
> 
> The schema changes for the new attribute are handled by
> ipa-server-upgrade. The Apache config file is created
> ipa-server-install, ipa-replica-install and ipa-server-upgrade.

Thanks. This is all we need for 4.2, IMO.

Martin

More information about the Freeipa-devel mailing list