[Freeipa-devel] Kerberos over HTTPS (KDC proxy)

Alexander Bokovoy abokovoy at redhat.com
Thu May 28 10:27:36 UTC 2015


On Thu, 28 May 2015, Christian Heimes wrote:
>On 2015-05-28 12:10, Petr Spacek wrote:
>>> I see. My question is - if we go this way, what is then the reasonable subset
>>> configuration functionality realistic for FreeIPA 4.2 GA? (As we want this
>>> feature in for 4.2). Is ipa-kdcproxy-manage doable?
>>>
>>> What is the proposed API here?
>>>
>>> ipa-kdcproxy-manage list
>>> ipa-kdcproxy-manage enable <server>
>>> ipa-kdcproxy-manage disable <server>
>>
>> I believe that for 4.2 it is perfectly enough to have per-replica switch in
>> LDAP (enabled by default) and to provide ldapmodify command in docs. User
>> interface can be polished later if we get the design right.
>
>For Petr proposal to work we only need an additional ACI and maybe an
>additional permission. I'm using Apache's keytab for LDAP bin. The
>principal has no permission to read or search ipaConfigString attributes
>in the cn=masters tree.
>
>A ipa-kdcproxy-manage is more work. I'd have to write the script and
>implement a HTTP interface to reload all settings.
I'm fine with that for 4.2. We can always add an example of
enable/disable via ipa-ldap-updater tool which should be simplest one
for admins as it includes template values for domain and IPA master
hosts. See https://vda.li/en/posts/2015/01/02/playing-with-freeipa-ipa-ldap-updater/ 
for examples, this one would be similar to how weak enctypes are enabled:

# 20-kdcproxy-enable-on-this-master.update
dn: cn=KDCPROXY,cn=$FQDN,cn=masters,cn=ipa,cn=etc,$SUFFIX
add:ipaConfigString:enabledService

# 20-kdcproxy-disable-on-this-master.update
dn: cn=KDCPROXY,cn=$FQDN,cn=masters,cn=ipa,cn=etc,$SUFFIX
remove:ipaConfigString:enabledService


-- 
/ Alexander Bokovoy




More information about the Freeipa-devel mailing list