[Freeipa-devel] Kerberos over HTTPS (KDC proxy)
Martin Basti
mbasti at redhat.com
Thu May 28 11:29:31 UTC 2015
On 28/05/15 12:53, Christian Heimes wrote:
> On 2015-05-28 12:46, Martin Kosek wrote:
>> I am fine with this too. So if there is not another major disagreement, let us
>> start with enabling KDCPROXY by default during upgrade/install, the new ACI and
>> the per-replica standard configuration.
>>
>> API CLI/UI can come later (4.2.x or 4.3).
> LGTM, too.
>
> How should the new ACI work? I see two possible ways:
>
> 1) Allow compare/search for ipaConfigString=enabledService for everybody:
>
> (targetfilter="(ipaConfigString=enabledService)")(targetattr="ipaConfigString")(version
> 3.0; acl "Compare enabledService access to masters"; allow(search,
> compare) userdn = "ldap:///all";)
>
> 2) Create a new permission, assign it to all HTTP principals and allow
> read, compare and search for all ipaConfigString attributes.
>
> For the second way I need somebody to walk me through the permission and
> role system of FreeIPA.
3) Or we can create a new keytab for KDC proxy, and add permission only
for this service
>
> Christian
>
>
>
--
Martin Basti
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150528/886208c3/attachment.htm>
More information about the Freeipa-devel
mailing list