[Freeipa-devel] Kerberos over HTTPS (KDC proxy)
Nathaniel McCallum
npmccallum at redhat.com
Wed May 27 13:51:00 UTC 2015
On Wed, 2015-05-27 at 15:47 +0200, Jan Cholasta wrote:
> Dne 27.5.2015 v 15:43 Simo Sorce napsal(a):
> > On Wed, 2015-05-27 at 13:57 +0200, Jan Cholasta wrote:
> > > > >
> > > > > ipa config-mod --enable-kdcproxy=TRUE
> > > > > ipa config-mod --enable-kdcproxy=FALSE
> > >
> > > I don't like this approach, as it is completely inconsistent with
> > > every
> > > other optional component. There should be *one* way to handle
> > > them
> > > and
> > > there already is one, no need to reinvent the wheel.
> >
> > Sorry Jan, but this is really the correct approach.
>
> I don't think so.
>
> >
> > We want a boolean in LDAP to control whether the IPA Domain allows
> > proxying or not, the code is embedded in the overall framework and
> > has
> > no need for explicit install/uninstall unlike the CA or DNS
> > components.
>
> There is a boolean for every other component/service as well. If you
> want to add new API to manipulate the boolean, fine, but it should be
>
> done in a generic way that works for other components as well.
As I understand the problem, there is an assumption that an optional
component has a distinct service to start and stop. That is not the
case here. This is just new config for apache.
Nathaniel
More information about the Freeipa-devel
mailing list