[Freeipa-devel] KDC proxy implementation specs
Christian Heimes
cheimes at redhat.com
Thu May 28 15:00:21 UTC 2015
On 2015-05-28 16:53, Simo Sorce wrote:
> We can't have 2 different keytabs with the same principal name.
> If we need privilege separation we'll have to work on integrating
> GSS-Proxy and give the keytab only to GSS-Proxy leaving it off the hands
> of both the framework, the proxy, and apache itself.
I had a different principal like KDCPROXY/fqdn at realm in mind.
> Although to be honest I do not see why the proxy need access to the
> keytab at all, can we simply run it as a wsgi application under a
> different user and prevent it from accessing the apache keytab at all ?
Yes, mod_wsgi is able to run a WSGI app as a different user:
https://code.google.com/p/modwsgi/wiki/ConfigurationDirectives#WSGIDaemonProcess
A different user needs another location for the ccache and perhaps
additional SELinux rules.
> What do we need the keytab for ?
> Is it just in order to authenticate and read if the service is enabled ?
> Can we make that information available anonymously ?
Yes, the information is not available for anon bind. It doesn't feel
right to disclose the settings to the public.
Christian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150528/0cc64428/attachment.sig>
More information about the Freeipa-devel
mailing list