[Freeipa-devel] Kerberos over HTTPS (KDC proxy)
Christian Heimes
cheimes at redhat.com
Tue May 26 15:09:14 UTC 2015
On 2015-05-26 16:50, Nathaniel McCallum wrote:
> Right. So as I see it, we have three options:
> 1. Merge kdcproxy soon with a global switch.
> A. Build per-replica switches later.
> B. Never build per-replica switches.
> 2. Merge kdcproxy later with per-replica switches.
>
> I don't think having both types of switches is bad UX. In fact, I think
> it is better UX than per-replica switches alone. Since per-replica
> switches are a superset of the global switch functionality, let's do 1A
> and do per-replica switches later (if needed and feasible)
You know what? That was basically my second implementation. :) I had a
global switch in cn=ipaConfig,cn=etc and a per-replica switch in
cn=KDCPROXY,cn=$FQDN,cn=masters,cn=ipa,cn=etc. The code is still in
another branch on my laptop.
Since I have both variants mostly implemented, I'd like to suggest yet
another option:
2. Merge kdcproxy with global and per-replica switch, but for now offer
only a CLI command for the global switch.
That's easy to implement. I only need an ACI for
cn=masters,cn=ipa,cn=etc in order to allow compare and search for
ipaConfigString=enabledService.
Christian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150526/e742d031/attachment.sig>
More information about the Freeipa-devel
mailing list