[Freeipa-devel] Kerberos over HTTPS (KDC proxy)

Thu May 28 08:19:01 UTC 2015

On 05/28/2015 07:29 AM, Jan Cholasta wrote:
> Dne 27.5.2015 v 15:51 Nathaniel McCallum napsal(a):
>> On Wed, 2015-05-27 at 15:47 +0200, Jan Cholasta wrote:
>>> Dne 27.5.2015 v 15:43 Simo Sorce napsal(a):
>>>> On Wed, 2015-05-27 at 13:57 +0200, Jan Cholasta wrote:
>>>>>>>
>>>>>>>      ipa config-mod --enable-kdcproxy=TRUE
>>>>>>>      ipa config-mod --enable-kdcproxy=FALSE
>>>>>
>>>>> I don't like this approach, as it is completely inconsistent with
>>>>> every
>>>>> other optional component. There should be *one* way to handle
>>>>> them
>>>>> and
>>>>> there already is one, no need to reinvent the wheel.
>>>>
>>>> Sorry Jan, but this is really the correct approach.
>>>
>>> I don't think so.
>>>
>>>>
>>>> We want a boolean in LDAP to control whether the IPA Domain allows
>>>> proxying or not, the code is embedded in the overall framework and
>>>> has
>>>> no need for explicit install/uninstall unlike the CA or DNS
>>>> components.
>>>
>>> There is a boolean for every other component/service as well. If you
>>> want to add new API to manipulate the boolean, fine, but it should be
>>>
>>> done in a generic way that works for other components as well.
>>
>> As I understand the problem, there is an assumption that an optional
>> component has a distinct service to start and stop. That is not the
>> case here. This is just new config for apache.
>>
>> Nathaniel
>>
> 
> I say that's a wrong assumption. It should not matter whether the service is
> provided by an actual daemon, or a set of daemons or no daemon, as that is an
> implementation detail. By installing KDC proxy on IPA server an actual new
> service is provided to the outside world, which is conceptually the same as
> adding DNS or CA, so I don't see why it should be handled differently.

It is not another new service, like DNS or CA. It is another transport for
Kerberos, on top of TCP/UDP. Can we please stop bikeshedding here?