[Freeipa-devel] KDC proxy implementation specs
Christian Heimes
cheimes at redhat.com
Fri May 29 09:10:58 UTC 2015
On 2015-05-29 08:07, Nathaniel McCallum wrote:
> On Fri, 2015-05-29 at 08:02 +0200, Jan Cholasta wrote:
>> Dne 28.5.2015 v 16:48 Nathaniel McCallum napsal(a):
>>> On Thu, 2015-05-28 at 16:34 +0200, Christian Heimes wrote:
>>>> Jan has suggested to ipaConfigString=kdcProxyEnabled in
>>>> cn=KDC,cn=$FQDN,cn=masters,cn=ipa,cn=etc instead of
>>>> ipaConfigString=enabledService in
>>>> cn=KDCPROXY,cn=$FQDN,cn=masters,cn=ipa,cn=etc. It makes sense to
>>>> me.
>>>> After all MS-KKDCP is just another transport for the KDC. [4]
>>>
>>> There may be a security concern here if we aren't careful. I think
>>> I'm
>>> in favor of KDCPROXY since it is a different application.
>>
>> What concern would that be? It has been already established that KDC
>> proxy is not a different application, but rather a subcomponent of
>> KDC
>> in the other thread.
>
> Accidental exposure of something else in
> cn=KDC,cn=$FQDN,cn=masters,cn=ipa,cn=etc. My fear comes from the fact
> that in order to make this work we have to expose stuff in
> cn=KDC,cn=$FQDN,cn=masters,cn=ipa,cn=etc to apache. These kind of cross
> -domain security allowances always raises red flags for me.
I don't need read permission for all ipaConfigString attributes. In fact
search and compare for
(ipaConfigString=kdcProxyEnabled) is just about enough. Of course I have
to name the permission differently. But that is the least of my problems. :)
Your key master,
Christian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150529/dc72f065/attachment.sig>
More information about the Freeipa-devel
mailing list