[Freeipa-devel] Kerberos over HTTPS (KDC proxy)
Petr Vobornik
pvoborni at redhat.com
Wed May 27 13:41:29 UTC 2015
On 05/27/2015 03:34 PM, Christian Heimes wrote:
> On 2015-05-27 14:47, Petr Vobornik wrote:
>> Install/uninstall is not the same thing as enable/disable. Installation
>> is a set of steps which first configures and then (optionally) enables
>> the component.
>>
>> E.g:
>> 1. modify configuration file(s), ldap entries
>> 2. run something which starts the component. E.g. `systemctl start xxx`,
>> an ldap change which is being observed (like topology plugin).
>>
>> The only rationale for external tool is to do stuff which can't be done
>> trough API. E.g. restart of httpd.service or a need of Directory
>> Manager. But in that case the tool should be:
>>
>> ipa-kdcproxy-manage enable|disable
>
> Right, the restart of httpd.service isn't handled by ipa config-mod. A
> tool like ipa-kdcproxy-manage could handle the restart on a local
> machine. As far as I know it won't be able to restart httpd on all
> replicas, too.
>
> My current implementation needs a restart of all Apache servers on all
> machines, that run a kdc proxy instance.
>
> Christian
>
It would be great to have a privileged daemon which could observed
replicated configuration and perform such tasks on all servers so we
would eliminate manual tasks(and errors and misconceptions which are
caused by forgotten manual tasks) as much as possible.
--
Petr Vobornik
More information about the Freeipa-devel
mailing list