[Freeipa-devel] Kerberos over HTTPS (KDC proxy)

Jan Cholasta jcholast at redhat.com
Wed May 27 11:57:03 UTC 2015 

Dne 27.5.2015 v 13:34 Martin Kosek napsal(a):
> On 05/27/2015 01:33 PM, Christian Heimes wrote:
>> On 2015-05-27 11:59, Martin Kosek wrote:
>>> On 05/27/2015 11:53 AM, Alexander Bokovoy wrote:
>>>> On Wed, 27 May 2015, Martin Kosek wrote:
>>>>> On 05/26/2015 05:40 PM, Jan Cholasta wrote:
>>>>>> Dne 22.5.2015 v 12:24 Christian Heimes napsal(a):
>>>>> ...
>>>>>>> Finally I haven't figured out the best way to configure the instance. An
>>>>>>> admin should be able to enable / disable KDC proxy. Should I write a
>>>>>>> script or a ipa plugin for the job?
>>>>>>
>>>>>> A script, ipa-kdcproxy-install, if you want to be consistent with what's
>>>>>> already there.
>>>>>
>>>>> I thought we wanted to install it by default and only switch it on/off via
>>>>> configuration in LDAP. In that case, no ipa-*-install should be needed.
>>>> As with any other feature which requires configuration of other
>>>> components, if it wasn't installed before, you need to make sure you are
>>>> able to configure it over upgraded instance. Not providing
>>>> ipa-kdcproxy-install would mean you are not supporting an upgrade case.
>>>
>>> I do not disagree with the approach for optional components. But as I wrote
>>> above, this was supposed to be configured everywhere by default - both on new
>>> and upgraded installations.

It doesn't matter whether it's installed by default or not. This is to 
support disabling and enabling the component - "ipa-kdcproxy-install" to 
enable, "ipa-kdcproxy-install --uninstall" to disable.

>>>
>>> AFAIK, it is mostly just one config for Apache and wsgi script.
>>
>> Yes, it is really just one boolean switch (service enabled/disabled).
>> The state of the switch is read when Apache is started or reloaded. In
>> the default state KDC Proxy is enabled. When the service is disabled,
>> the WSGI script replies with 404 instead. All remaining settings like
>> kdc, kadmin and kpasswd server(s) are read from /etc/krb5.conf.

This is just an implementation detail.

>>
>> I had both the per-replica and the global switch implemented. After I
>> discussion with Nathaniel and Martin, it's now a global switch only.
>> Nathaniel argued, that a global switch is easier to implement as well as
>> sufficient for now.
>>
>> The state of the switch is controlled with ipa config-mod:
>>
>>    ipa config-mod --enable-kdcproxy=TRUE
>>    ipa config-mod --enable-kdcproxy=FALSE

I don't like this approach, as it is completely inconsistent with every 
other optional component. There should be *one* way to handle them and 
there already is one, no need to reinvent the wheel.

>>
>> The schema changes for the new attribute are handled by
>> ipa-server-upgrade. The Apache config file is created
>> ipa-server-install, ipa-replica-install and ipa-server-upgrade.
>
> Thanks. This is all we need for 4.2, IMO.
>
> Martin
>

-- 
Jan Cholasta

More information about the Freeipa-devel mailing list