[Freeipa-devel] Kerberos over HTTPS (KDC proxy)
Simo Sorce
simo at redhat.com
Wed May 27 13:56:19 UTC 2015
On Wed, 2015-05-27 at 15:41 +0200, Petr Vobornik wrote:
> On 05/27/2015 03:34 PM, Christian Heimes wrote:
> > On 2015-05-27 14:47, Petr Vobornik wrote:
> >> Install/uninstall is not the same thing as enable/disable. Installation
> >> is a set of steps which first configures and then (optionally) enables
> >> the component.
> >>
> >> E.g:
> >> 1. modify configuration file(s), ldap entries
> >> 2. run something which starts the component. E.g. `systemctl start xxx`,
> >> an ldap change which is being observed (like topology plugin).
> >>
> >> The only rationale for external tool is to do stuff which can't be done
> >> trough API. E.g. restart of httpd.service or a need of Directory
> >> Manager. But in that case the tool should be:
> >>
> >> ipa-kdcproxy-manage enable|disable
> >
> > Right, the restart of httpd.service isn't handled by ipa config-mod. A
> > tool like ipa-kdcproxy-manage could handle the restart on a local
> > machine. As far as I know it won't be able to restart httpd on all
> > replicas, too.
> >
> > My current implementation needs a restart of all Apache servers on all
> > machines, that run a kdc proxy instance.
> >
> > Christian
> >
>
> It would be great to have a privileged daemon which could observed
> replicated configuration and perform such tasks on all servers so we
> would eliminate manual tasks(and errors and misconceptions which are
> caused by forgotten manual tasks) as much as possible.
Yes this is something we had a need for, for a while, we could, perhaps,
turn custodia in such a service, or embed custodia in there, as they are
both very privileged service that interact with LDAP to find
information.
Simo.
> --
> Petr Vobornik
>
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list