[Freeipa-devel] Kerberos over HTTPS (KDC proxy)
Jan Cholasta
jcholast at redhat.com
Thu May 28 11:59:58 UTC 2015
Dne 28.5.2015 v 13:56 Christian Heimes napsal(a):
> On 2015-05-28 13:30, Jan Cholasta wrote:
>> Dne 28.5.2015 v 12:53 Christian Heimes napsal(a):
>>> On 2015-05-28 12:46, Martin Kosek wrote:
>>>> I am fine with this too. So if there is not another major
>>>> disagreement, let us
>>>> start with enabling KDCPROXY by default during upgrade/install, the
>>>> new ACI and
>>>> the per-replica standard configuration.
>>>>
>>>> API CLI/UI can come later (4.2.x or 4.3).
>>>
>>> LGTM, too.
>>>
>>> How should the new ACI work? I see two possible ways:
>>>
>>> 1) Allow compare/search for ipaConfigString=enabledService for everybody:
>>>
>>> (targetfilter="(ipaConfigString=enabledService)")(targetattr="ipaConfigString")(version
>>>
>>> 3.0; acl "Compare enabledService access to masters"; allow(search,
>>> compare) userdn = "ldap:///all";)
>>>
>>> 2) Create a new permission, assign it to all HTTP principals and allow
>>> read, compare and search for all ipaConfigString attributes.
>>>
>>> For the second way I need somebody to walk me through the permission and
>>> role system of FreeIPA.
>>>
>>> Christian
>>
>> So, will it be a separate component with its own freeipa-server-kdcproxy
>> subpackage and installer or will it be a sub-component of KDC (as Martin
>> suggested) and part of the core freeipa-server package?
>
> For now I'm in favor of a sub-component as part of the freeipa-server
> package.
OK, then I'm fine with ipa-kdcproxy-manage, but instead of adding a new
service entry for KDC proxy, you can just add a flag to the KDC service
entry, like ipaConfigString=kdcProxyEnabled.
--
Jan Cholasta
More information about the Freeipa-devel
mailing list