[Freeipa-devel] KDC proxy implementation specs
Rob Crittenden
rcritten at redhat.com
Thu May 28 15:13:02 UTC 2015
Simo Sorce wrote:
> On Thu, 2015-05-28 at 17:00 +0200, Christian Heimes wrote:
>> On 2015-05-28 16:53, Simo Sorce wrote:
>>> We can't have 2 different keytabs with the same principal name.
>>> If we need privilege separation we'll have to work on integrating
>>> GSS-Proxy and give the keytab only to GSS-Proxy leaving it off the hands
>>> of both the framework, the proxy, and apache itself.
>>
>> I had a different principal like KDCPROXY/fqdn at realm in mind.
>>
>>> Although to be honest I do not see why the proxy need access to the
>>> keytab at all, can we simply run it as a wsgi application under a
>>> different user and prevent it from accessing the apache keytab at all ?
>>
>> Yes, mod_wsgi is able to run a WSGI app as a different user:
>>
>> https://code.google.com/p/modwsgi/wiki/ConfigurationDirectives#WSGIDaemonProcess
>>
>> A different user needs another location for the ccache and perhaps
>> additional SELinux rules.
>
> If you are using the keytab only to acquire credentials to access ldap
> you could use a memory ccache and not have to deal with locations:
> KRB5CCNAME=MEMORY:kdcproxy_<random_number>
>
>>> What do we need the keytab for ?
>>> Is it just in order to authenticate and read if the service is enabled ?
>>> Can we make that information available anonymously ?
>>
>> Yes, the information is not available for anon bind. It doesn't feel
>> right to disclose the settings to the public.
>
> Another option is to use ldapi and external auth, I forgot if we allow
> automatic binding for no-root users though.
>
> Rob,
> do you remember ?
AFAIK we have no rules other than root -> DM.
rob
More information about the Freeipa-devel
mailing list