[Freeipa-devel] [PATCH] 0001 Provide Kerberos over HTTP (MS-KKDCP)
Christian Heimes
cheimes at redhat.com
Fri May 29 14:54:27 UTC 2015
Changes since patch 1:
- Further simplify krb ticket code
Simo has pointed out that KRB5_CLIENT_KTNAME and MEMORY ccache are
sufficient for the GSSAPI.
http://k5wiki.kerberos.org/wiki/Projects/Keytab_initiation
- switch is now in ipaConfigString=kdcProxyEnabled of
cn=KDC,cn=$FQDN,cn=masters,cn=ipa,cn=etc
- add service principal KDCPROXY
- add own keytab /etc/ipa/kdcproxy/kdcproxy.keytab
- add permission 'System: Read IPA Masters KDC Proxy'
- add privilege 'IPA Masters KDC Proxy Readers'
- add ipa-ldap-updater scripts to enable/disable KDC Proxy
- Create a separate user and group account
The KDC Proxy WSGI app now uses a separate user account to run the
daemon process. The keytab is only readable by that user, too.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-cheimes-0001-2-Provide-Kerberos-over-HTTP-MS-KKDCP.patch
Type: text/x-patch
Size: 48305 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150529/819222e9/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150529/819222e9/attachment.sig>
More information about the Freeipa-devel
mailing list