[Freeipa-devel] Kerberos over HTTPS (KDC proxy)
Christian Heimes
cheimes at redhat.com
Thu May 28 10:17:23 UTC 2015
On 2015-05-28 12:10, Petr Spacek wrote:
>> I see. My question is - if we go this way, what is then the reasonable subset
>> configuration functionality realistic for FreeIPA 4.2 GA? (As we want this
>> feature in for 4.2). Is ipa-kdcproxy-manage doable?
>>
>> What is the proposed API here?
>>
>> ipa-kdcproxy-manage list
>> ipa-kdcproxy-manage enable <server>
>> ipa-kdcproxy-manage disable <server>
>
> I believe that for 4.2 it is perfectly enough to have per-replica switch in
> LDAP (enabled by default) and to provide ldapmodify command in docs. User
> interface can be polished later if we get the design right.
For Petr proposal to work we only need an additional ACI and maybe an
additional permission. I'm using Apache's keytab for LDAP bin. The
principal has no permission to read or search ipaConfigString attributes
in the cn=masters tree.
A ipa-kdcproxy-manage is more work. I'd have to write the script and
implement a HTTP interface to reload all settings.
Christian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150528/b8053a26/attachment.sig>
More information about the Freeipa-devel
mailing list