[Freeipa-devel] Kerberos over HTTPS (KDC proxy)
Martin Kosek
mkosek at redhat.com
Thu May 28 10:46:25 UTC 2015
On 05/28/2015 12:27 PM, Alexander Bokovoy wrote:
> On Thu, 28 May 2015, Christian Heimes wrote:
>> On 2015-05-28 12:10, Petr Spacek wrote:
>>>> I see. My question is - if we go this way, what is then the reasonable subset
>>>> configuration functionality realistic for FreeIPA 4.2 GA? (As we want this
>>>> feature in for 4.2). Is ipa-kdcproxy-manage doable?
>>>>
>>>> What is the proposed API here?
>>>>
>>>> ipa-kdcproxy-manage list
>>>> ipa-kdcproxy-manage enable <server>
>>>> ipa-kdcproxy-manage disable <server>
>>>
>>> I believe that for 4.2 it is perfectly enough to have per-replica switch in
>>> LDAP (enabled by default) and to provide ldapmodify command in docs. User
>>> interface can be polished later if we get the design right.
>>
>> For Petr proposal to work we only need an additional ACI and maybe an
>> additional permission. I'm using Apache's keytab for LDAP bin. The
>> principal has no permission to read or search ipaConfigString attributes
>> in the cn=masters tree.
>>
>> A ipa-kdcproxy-manage is more work. I'd have to write the script and
>> implement a HTTP interface to reload all settings.
> I'm fine with that for 4.2. We can always add an example of
> enable/disable via ipa-ldap-updater tool which should be simplest one
> for admins as it includes template values for domain and IPA master
> hosts. See
> https://vda.li/en/posts/2015/01/02/playing-with-freeipa-ipa-ldap-updater/ for
> examples, this one would be similar to how weak enctypes are enabled:
>
> # 20-kdcproxy-enable-on-this-master.update
> dn: cn=KDCPROXY,cn=$FQDN,cn=masters,cn=ipa,cn=etc,$SUFFIX
> add:ipaConfigString:enabledService
>
> # 20-kdcproxy-disable-on-this-master.update
> dn: cn=KDCPROXY,cn=$FQDN,cn=masters,cn=ipa,cn=etc,$SUFFIX
> remove:ipaConfigString:enabledService
I am fine with this too. So if there is not another major disagreement, let us
start with enabling KDCPROXY by default during upgrade/install, the new ACI and
the per-replica standard configuration.
API CLI/UI can come later (4.2.x or 4.3).
More information about the Freeipa-devel
mailing list