[Freeipa-devel] Kerberos over HTTPS (KDC proxy)

Thu May 28 09:14:10 UTC 2015

On Thu, 28 May 2015, Martin Kosek wrote:
>On 05/28/2015 10:02 AM, Jan Cholasta wrote:
>> Dne 28.5.2015 v 09:45 Christian Heimes napsal(a):
>>> On 2015-05-28 07:32, Jan Cholasta wrote:
>>>> Dne 27.5.2015 v 16:01 Christian Heimes napsal(a):
>>>>> On 2015-05-27 15:51, Nathaniel McCallum wrote:
>>>>>> As I understand the problem, there is an assumption that an optional
>>>>>> component has a distinct service to start and stop. That is not the
>>>>>> case here. This is just new config for apache.
>>>>>
>>>>> More details:
>>>>>
>>>>> The KDC Proxy uses the same Apache instance as FreeIPAs Web GUI and
>>>>> Tomcat. There is no extra service involved. The switch just decides if
>>>>> https://ipa.example.org/KdcProxy acts as a MS-KKDCP end point or returns
>>>>> a 404 error.
>>>>
>>>> FYI Tomcat does not use the same Apache instance, the Apache instance is
>>>> configured to proxy requests to Tomcat.
>>>>
>>>> If the IPA KDC proxy package is not installed on a replica, then going
>>>> to /KdcProxy will return 404, right? Why is an additional switch
>>>> necessary then?
>>>
>>> The python-kdcproxy package is a new dependency for the freeipa-server
>>> package. It will always get installed with the server.
>>
>> Why? None of the IPA core functionality depends on it, so it should be
>> optional. Also the overall trend in IPA is to have everything in subpackages.
>
>Do not look at it as a separate component. It is mostly just a new transport
>for Kerberos. FreeIPA already provides Kerberos via TCP and UDP. This is a
>third transport - HTTP.
See my other response. With changes in https://tools.ietf.org/html/draft-mccallum-kitten-krb-service-discovery-00
we'll need to manage _kerberos.$DOMAIN URI DNS record (not just TXT one
like now) to explicitly report where the proxies are located. This goes
beyond just global switch in LDAP and requires ipa-kdcproxy-manage tool.
-- 
/ Alexander Bokovoy