[Freeipa-devel] Kerberos over HTTPS (KDC proxy)
Jan Cholasta
jcholast at redhat.com
Thu May 28 05:42:16 UTC 2015
Dne 27.5.2015 v 15:54 Simo Sorce napsal(a):
> On Wed, 2015-05-27 at 15:47 +0200, Jan Cholasta wrote:
>> Dne 27.5.2015 v 15:43 Simo Sorce napsal(a):
>>> On Wed, 2015-05-27 at 13:57 +0200, Jan Cholasta wrote:
>>>>>>
>>>>>> ipa config-mod --enable-kdcproxy=TRUE
>>>>>> ipa config-mod --enable-kdcproxy=FALSE
>>>>
>>>> I don't like this approach, as it is completely inconsistent with
>>>> every
>>>> other optional component. There should be *one* way to handle them
>>>> and
>>>> there already is one, no need to reinvent the wheel.
>>>
>>> Sorry Jan, but this is really the correct approach.
>>
>> I don't think so.
>>
>>>
>>> We want a boolean in LDAP to control whether the IPA Domain allows
>>> proxying or not, the code is embedded in the overall framework and has
>>> no need for explicit install/uninstall unlike the CA or DNS components.
>>
>> There is a boolean for every other component/service as well. If you
>> want to add new API to manipulate the boolean, fine, but it should be
>> done in a generic way that works for other components as well.
>
> This is the same as:
> ipa config-mod --enable-migration=TRUE
>
> Why is it a problem ?
This is a switch to enable the migrate-ds plugin. I think it's hardly
fair to compare it to a whole new component which provides a new service
to the outside world.
> This is not a separate service.
How is it not a separate service? If it's installed, MS-KKDCP is
provided to the outside world, and if it's not installed MS-KKDCP is not
provided to the outside world. How is this different from, say, DNS?
(Besides implementation details, such as what protocols or how many
daemons it uses - think about IPA as a black box for a moment.)
>
> Simo.
>
--
Jan Cholasta
More information about the Freeipa-devel
mailing list