[Freeipa-devel] KDC proxy implementation specs
Nathaniel McCallum
npmccallum at redhat.com
Fri May 29 06:07:31 UTC 2015
On Fri, 2015-05-29 at 08:02 +0200, Jan Cholasta wrote:
> Dne 28.5.2015 v 16:48 Nathaniel McCallum napsal(a):
> > On Thu, 2015-05-28 at 16:34 +0200, Christian Heimes wrote:
> > > Jan has suggested to ipaConfigString=kdcProxyEnabled in
> > > cn=KDC,cn=$FQDN,cn=masters,cn=ipa,cn=etc instead of
> > > ipaConfigString=enabledService in
> > > cn=KDCPROXY,cn=$FQDN,cn=masters,cn=ipa,cn=etc. It makes sense to
> > > me.
> > > After all MS-KKDCP is just another transport for the KDC. [4]
> >
> > There may be a security concern here if we aren't careful. I think
> > I'm
> > in favor of KDCPROXY since it is a different application.
>
> What concern would that be? It has been already established that KDC
> proxy is not a different application, but rather a subcomponent of
> KDC
> in the other thread.
Accidental exposure of something else in
cn=KDC,cn=$FQDN,cn=masters,cn=ipa,cn=etc. My fear comes from the fact
that in order to make this work we have to expose stuff in
cn=KDC,cn=$FQDN,cn=masters,cn=ipa,cn=etc to apache. These kind of cross
-domain security allowances always raises red flags for me.
Don't cross the streams... it would be bad. :)
Nathaniel
More information about the Freeipa-devel
mailing list