[Freeipa-devel] KDC proxy implementation specs
Christian Heimes
cheimes at redhat.com
Thu May 28 14:34:56 UTC 2015
Hello,
thanks you for your input. The former thread has 58 messages in total.
Since last Friday we have came to an agreement in most points. I like to
some up our decisions and focus on some minor details.
decisions
---------
python-kdcproxy will be installed as a dependency of freeipa-server.
There won't be a separate freeipa-server-kdcproxy package. That may or
may not change in the future. The decision is out of scope for 4.2.0. [1]
KDC proxy support will be enabled by default. The config files and LDAP
settings will be created by ipa-server-install, ipa-server-upgrade and
ipa-replica-install.
The enabled/disabled switch will be stored per-replica in the
cn=masters,cn=ipa,cn=etc tree. An API and CLI tool for management is
postponed. [2] For now we settle for some doc examples that use the
ipa-ldap-updater as suggested by Alex. [3]
open for discussion
-------------------
Jan has suggested to ipaConfigString=kdcProxyEnabled in
cn=KDC,cn=$FQDN,cn=masters,cn=ipa,cn=etc instead of
ipaConfigString=enabledService in
cn=KDCPROXY,cn=$FQDN,cn=masters,cn=ipa,cn=etc. It makes sense to me.
After all MS-KKDCP is just another transport for the KDC. [4]
Martin Basti suggested a different keytab and principal for kdcproxy.
[5] The keytab is only required for GSSAPI bind to lookup the state of
the enabled/disabled switch. The current patch uses the same keytab as
webgui.
A new principal separates kdcproxy more cleanly and allows for
fine-grained ACIs. It is also more future proof. In the future we may
want to move kdcproxy from an Apache WSGI app to a separate service. A
dedicated Twisted or asyncio daemon could handle more load.
A separate keytab is easy to implement, too. I looked at the code in
HTTPInstance.__create_http_keytab().
For the ACI I plan to add a new permission 'System: Read IPA Config
String' and make the principal a direct memberOf of it. We don't have
service roles yet. cn=roles,cn=accounts look like end user roles to me.
The new ACI in cn=masters,cn=ipa,cn=etc will grant read, search and
compare permission:
(targetfilter = "(objectClass=nsContainer)")(targetattr = "cn ||
objectClass || ipaConfigString")(version 3.0; acl "Read IPA Config
String"; allow (read, search, compare) groupdn = "ldap:///cn=System:
Read IPA Config String,cn=permissions,cn=pbac,dc=ipa,dc=example";)
I should be able to modify and test my patch in a matter of a couple of
hours.
Christian
[1] http://www.redhat.com/archives/freeipa-devel/2015-May/msg00535.html
[2] http://www.redhat.com/archives/freeipa-devel/2015-May/msg00555.html
[3] http://www.redhat.com/archives/freeipa-devel/2015-May/msg00533.html
[4] http://www.redhat.com/archives/freeipa-devel/2015-May/msg00543.html
[5] http://www.redhat.com/archives/freeipa-devel/2015-May/msg00539.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150528/7162dbfe/attachment.sig>
More information about the Freeipa-devel
mailing list