[Freeipa-devel] Kerberos over HTTPS (KDC proxy)
Christian Heimes
cheimes at redhat.com
Thu May 28 11:56:36 UTC 2015
On 2015-05-28 13:30, Jan Cholasta wrote:
> Dne 28.5.2015 v 12:53 Christian Heimes napsal(a):
>> On 2015-05-28 12:46, Martin Kosek wrote:
>>> I am fine with this too. So if there is not another major
>>> disagreement, let us
>>> start with enabling KDCPROXY by default during upgrade/install, the
>>> new ACI and
>>> the per-replica standard configuration.
>>>
>>> API CLI/UI can come later (4.2.x or 4.3).
>>
>> LGTM, too.
>>
>> How should the new ACI work? I see two possible ways:
>>
>> 1) Allow compare/search for ipaConfigString=enabledService for everybody:
>>
>> (targetfilter="(ipaConfigString=enabledService)")(targetattr="ipaConfigString")(version
>>
>> 3.0; acl "Compare enabledService access to masters"; allow(search,
>> compare) userdn = "ldap:///all";)
>>
>> 2) Create a new permission, assign it to all HTTP principals and allow
>> read, compare and search for all ipaConfigString attributes.
>>
>> For the second way I need somebody to walk me through the permission and
>> role system of FreeIPA.
>>
>> Christian
>
> So, will it be a separate component with its own freeipa-server-kdcproxy
> subpackage and installer or will it be a sub-component of KDC (as Martin
> suggested) and part of the core freeipa-server package?
For now I'm in favor of a sub-component as part of the freeipa-server
package.
Christian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150528/4de2fa28/attachment.sig>
More information about the Freeipa-devel
mailing list