[Freeipa-devel] Kerberos over HTTPS (KDC proxy)
Nathaniel McCallum
npmccallum at redhat.com
Wed May 27 13:54:16 UTC 2015
On Wed, 2015-05-27 at 15:41 +0200, Petr Vobornik wrote:
> On 05/27/2015 03:34 PM, Christian Heimes wrote:
> > On 2015-05-27 14:47, Petr Vobornik wrote:
> > > Install/uninstall is not the same thing as enable/disable.
> > > Installation
> > > is a set of steps which first configures and then (optionally)
> > > enables
> > > the component.
> > >
> > > E.g:
> > > 1. modify configuration file(s), ldap entries
> > > 2. run something which starts the component. E.g. `systemctl
> > > start xxx`,
> > > an ldap change which is being observed (like topology plugin).
> > >
> > > The only rationale for external tool is to do stuff which can't
> > > be done
> > > trough API. E.g. restart of httpd.service or a need of Directory
> > > Manager. But in that case the tool should be:
> > >
> > > ipa-kdcproxy-manage enable|disable
> >
> > Right, the restart of httpd.service isn't handled by ipa config
> > -mod. A
> > tool like ipa-kdcproxy-manage could handle the restart on a local
> > machine. As far as I know it won't be able to restart httpd on all
> > replicas, too.
> >
> > My current implementation needs a restart of all Apache servers on
> > all
> > machines, that run a kdc proxy instance.
> >
> > Christian
> >
>
> It would be great to have a privileged daemon which could observed
> replicated configuration and perform such tasks on all servers so we
> would eliminate manual tasks(and errors and misconceptions which are
> caused by forgotten manual tasks) as much as possible.
*security shiver*
More information about the Freeipa-devel
mailing list