[Freeipa-devel] KDC proxy implementation specs
Jan Cholasta
jcholast at redhat.com
Fri May 29 06:11:55 UTC 2015
Dne 29.5.2015 v 08:07 Nathaniel McCallum napsal(a):
> On Fri, 2015-05-29 at 08:02 +0200, Jan Cholasta wrote:
>> Dne 28.5.2015 v 16:48 Nathaniel McCallum napsal(a):
>>> On Thu, 2015-05-28 at 16:34 +0200, Christian Heimes wrote:
>>>> Jan has suggested to ipaConfigString=kdcProxyEnabled in
>>>> cn=KDC,cn=$FQDN,cn=masters,cn=ipa,cn=etc instead of
>>>> ipaConfigString=enabledService in
>>>> cn=KDCPROXY,cn=$FQDN,cn=masters,cn=ipa,cn=etc. It makes sense to
>>>> me.
>>>> After all MS-KKDCP is just another transport for the KDC. [4]
>>>
>>> There may be a security concern here if we aren't careful. I think
>>> I'm
>>> in favor of KDCPROXY since it is a different application.
>>
>> What concern would that be? It has been already established that KDC
>> proxy is not a different application, but rather a subcomponent of
>> KDC
>> in the other thread.
>
> Accidental exposure of something else in
> cn=KDC,cn=$FQDN,cn=masters,cn=ipa,cn=etc. My fear comes from the fact
> that in order to make this work we have to expose stuff in
> cn=KDC,cn=$FQDN,cn=masters,cn=ipa,cn=etc to apache. These kind of cross
> -domain security allowances always raises red flags for me.
Well, the only exposed thing would be ipaConfigString, which always has
an "enabledService" value for KDC and optionally would have
"kdcProxyEnabled" value if KDC proxy is enabled. IMO if someone wants to
put something sensitive in there, they should use a different attribute
anyway.
>
> Don't cross the streams... it would be bad. :)
Unless Zuul comes into the picture.
>
> Nathaniel
>
--
Jan Cholasta
More information about the Freeipa-devel
mailing list