[katello-devel] Kerberos support design
Jan Pazdziora
jpazdziora at redhat.com
Mon Jun 24 09:18:50 UTC 2013
On Tue, Jun 18, 2013 at 04:07:27PM +0200, Marek Hulan wrote:
> Hello,
>
> I created a kerberos wiki page [1] with design of integration into our current
> authentication scheme (thanks Dominic for early discussions). Especially
> Martin and Tomáš should be interested because it's related to CLI. Please take
> a look and reply with questions/comments or ping me via IRC.
>
> [1] https://fedorahosted.org/katello/wiki/KerberosIntegration
A couple of questions / points:
1) Is it going to be GSSAPI all the way or some direct Kerberos?
2) What does rack-auth-krb have that mod_auth_kerb does not?
3) The gssapi is now packaged:
https://koji.fedoraproject.org/koji/packageinfo?packageID=16455
I'll now work to get them to composes.
4) It would be good if Bryan or perhaps someone from the Katello team
fixed
https://bugzilla.redhat.com/show_bug.cgi?id=975332
5) For the "Creating principal will be out of a scope of katello" --
this can be scripted with the IPA commands -- namely ipa
service-add.
6) For the "This file must exist before Signo is started" -- again,
use IPA command -- ipa-getkeytab.
7) For the "Fallback to other backends - how we'll decide which one to
use" -- this is obviously on admin to decide and configure, with
Katello providing sensible default. If you go with Kerberos but you
will probably need to at least support the password change. Of
course, you can just redirect to the IPA server to do that.
8) For the "Do we want to ensure clocks are synced" -- do you plan
for the systems to be enrolled as IPA clients? If yes, the setup of
IPA client side will take care of this.
--
Jan Pazdziora
Principal Software Engineer, Identity Management Engineering, Red Hat
More information about the katello-devel
mailing list