[Freeipa-devel] KDC proxy implementation specs
Jan Cholasta
jcholast at redhat.com
Fri May 29 06:02:26 UTC 2015
Dne 28.5.2015 v 16:48 Nathaniel McCallum napsal(a):
> On Thu, 2015-05-28 at 16:34 +0200, Christian Heimes wrote:
>> Jan has suggested to ipaConfigString=kdcProxyEnabled in
>> cn=KDC,cn=$FQDN,cn=masters,cn=ipa,cn=etc instead of
>> ipaConfigString=enabledService in
>> cn=KDCPROXY,cn=$FQDN,cn=masters,cn=ipa,cn=etc. It makes sense to me.
>> After all MS-KKDCP is just another transport for the KDC. [4]
>
> There may be a security concern here if we aren't careful. I think I'm
> in favor of KDCPROXY since it is a different application.
What concern would that be? It has been already established that KDC
proxy is not a different application, but rather a subcomponent of KDC
in the other thread.
--
Jan Cholasta
More information about the Freeipa-devel
mailing list