[Freeipa-devel] Kerberos over HTTPS (KDC proxy)
Martin Basti
mbasti at redhat.com
Thu May 28 12:08:28 UTC 2015
On 28/05/15 14:06, Christian Heimes wrote:
> On 2015-05-28 13:29, Martin Basti wrote:
>> On 28/05/15 12:53, Christian Heimes wrote:
>>> On 2015-05-28 12:46, Martin Kosek wrote:
>>>> I am fine with this too. So if there is not another major disagreement, let us
>>>> start with enabling KDCPROXY by default during upgrade/install, the new ACI and
>>>> the per-replica standard configuration.
>>>>
>>>> API CLI/UI can come later (4.2.x or 4.3).
>>> LGTM, too.
>>>
>>> How should the new ACI work? I see two possible ways:
>>>
>>> 1) Allow compare/search for ipaConfigString=enabledService for everybody:
>>>
>>> (targetfilter="(ipaConfigString=enabledService)")(targetattr="ipaConfigString")(version
>>> 3.0; acl "Compare enabledService access to masters"; allow(search,
>>> compare) userdn = "ldap:///all";)
>>>
>>> 2) Create a new permission, assign it to all HTTP principals and allow
>>> read, compare and search for all ipaConfigString attributes.
>>>
>>> For the second way I need somebody to walk me through the permission and
>>> role system of FreeIPA.
>> 3) Or we can create a new keytab for KDC proxy, and add permission only
>> for this service
> The new keytab must be readable by the Apache process.Therefore a new
> keytab doesn't give us extra security. It separates the kdcproxy service
> from the IPA webgui. Is that your goal?
>
> Christian
>
OK, then nevermind :-)
Martin^2
--
Martin Basti
More information about the Freeipa-devel
mailing list