[Freeipa-devel] Kerberos over HTTPS (KDC proxy)
Simo Sorce
simo at redhat.com
Thu May 28 13:28:35 UTC 2015
On Thu, 2015-05-28 at 12:14 +0300, Alexander Bokovoy wrote:
> On Thu, 28 May 2015, Martin Kosek wrote:
> >On 05/28/2015 10:02 AM, Jan Cholasta wrote:
> >> Dne 28.5.2015 v 09:45 Christian Heimes napsal(a):
> >>> On 2015-05-28 07:32, Jan Cholasta wrote:
> >>>> Dne 27.5.2015 v 16:01 Christian Heimes napsal(a):
> >>>>> On 2015-05-27 15:51, Nathaniel McCallum wrote:
> >>>>>> As I understand the problem, there is an assumption that an optional
> >>>>>> component has a distinct service to start and stop. That is not the
> >>>>>> case here. This is just new config for apache.
> >>>>>
> >>>>> More details:
> >>>>>
> >>>>> The KDC Proxy uses the same Apache instance as FreeIPAs Web GUI and
> >>>>> Tomcat. There is no extra service involved. The switch just decides if
> >>>>> https://ipa.example.org/KdcProxy acts as a MS-KKDCP end point or returns
> >>>>> a 404 error.
> >>>>
> >>>> FYI Tomcat does not use the same Apache instance, the Apache instance is
> >>>> configured to proxy requests to Tomcat.
> >>>>
> >>>> If the IPA KDC proxy package is not installed on a replica, then going
> >>>> to /KdcProxy will return 404, right? Why is an additional switch
> >>>> necessary then?
> >>>
> >>> The python-kdcproxy package is a new dependency for the freeipa-server
> >>> package. It will always get installed with the server.
> >>
> >> Why? None of the IPA core functionality depends on it, so it should be
> >> optional. Also the overall trend in IPA is to have everything in subpackages.
> >
> >Do not look at it as a separate component. It is mostly just a new transport
> >for Kerberos. FreeIPA already provides Kerberos via TCP and UDP. This is a
> >third transport - HTTP.
> See my other response. With changes in https://tools.ietf.org/html/draft-mccallum-kitten-krb-service-discovery-00
> we'll need to manage _kerberos.$DOMAIN URI DNS record (not just TXT one
> like now) to explicitly report where the proxies are located. This goes
> beyond just global switch in LDAP and requires ipa-kdcproxy-manage tool.
Not really, we'll use the enable/disable switch to find out which DNS
records to publish, like we do for SRV records now, not special tool is
needed for now.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list