[Freeipa-devel] Kerberos over HTTPS (KDC proxy)
Nathaniel McCallum
npmccallum at redhat.com
Tue May 26 14:50:49 UTC 2015
On Tue, 2015-05-26 at 16:43 +0200, Christian Heimes wrote:
> On 2015-05-26 16:24, Martin Kosek wrote:
> > On 05/26/2015 04:17 PM, Christian Heimes wrote:
> > > On 2015-05-26 15:57, Nathaniel McCallum wrote:
> > > > /KdcProxy
> > > >
> > > > "The URI uses the virtual directory /KdcProxy unless otherwise
> > > > configured."
> > > >
> > > > https://msdn.microsoft.com/en-us/library/hh553891.aspx
> > > >
> > > > Also, the proxy should be available over both HTTP and HTTPS.
> > >
> > > Easy-peasy! I'm using /KdcProxy already and the default
> > > configuration
> > > allows HTTP and HTTPS requests.
> >
> > Just make sure it works with the IPA might https rewrite rule:
> >
> > # Redirect to the secure port if not displaying an error or
> > retrieving
> > # configuration.
> > RewriteCond %{SERVER_PORT} !^443$$
> > RewriteCond %{REQUEST_URI} !^/ipa/(errors|config|crl)
> > RewriteCond %{REQUEST_URI}
> > !^/ipa/[^\?]+(\.js|\.css|\.png|\.gif|\.ico|\.woff|\.svg|\.ttf|\.eot
> > )$$
> > RewriteRule ^/ipa/(.*) https://$FQDN/ipa/$$1 [L,R=301,NC]
>
> The KDC proxy WSGI app is mounted at /KdcProxy. The IPA rewrite rule
> only affect /ipa* paths.
>
>
> > I discussed this briefly with Nathaniel, if this is sufficiently
> > easy/doable, I am fine with it. If not, then adding the global
> > control
> > may be the way for FreeIPA 4.2 GA and implement the per-replica
> > control
> > later.
>
> I guess the per-replica configuration is a bit more work. As far as I
> know FreeIPA has no command line tool to enable/disable services in
> the
> cn=masters,cn=ipa,cn=etc subtree. For starters Petr Vobornik has
> suggested an API command to list IPA servers. His proposal doesn't
> include an API to modify services of a server, though.
Right. So as I see it, we have three options:
1. Merge kdcproxy soon with a global switch.
A. Build per-replica switches later.
B. Never build per-replica switches.
2. Merge kdcproxy later with per-replica switches.
I don't think having both types of switches is bad UX. In fact, I think
it is better UX than per-replica switches alone. Since per-replica
switches are a superset of the global switch functionality, let's do 1A
and do per-replica switches later (if needed and feasible)
Nathaniel
More information about the Freeipa-devel
mailing list