On 06/17/2011 06:59 PM, Dmitri Pal wrote:
Hi,

Before we went too far with implementing the CS decoupling here is a
stupid idea I have.

We can proceed with the plans described in tickets:
https://fedorahosted.org/freeipa/ticket/1250
https://fedorahosted.org/freeipa/ticket/1251
https://fedorahosted.org/freeipa/ticket/1252

However what we can do is store the CS instance DM password encrypted in
the main instance.
Then the management utility (ticket 1250) would first have to fetch this
encrypted attribute from the main instance.
We would be able to define ACIs on it and use the kerberos
authentication against the main instance instead of prompting user for
the DM password.
It is a little bit more work but much better and consistent user
experience and administrative model.

Makes sense at a first pass. I haven't worked that deeply with the CS stuff to say for sure, but treting the IPA DS as cannonical and thus giving it the keys to the kingdom seems to be the right call. It all depends on which (CS or IPA) you want to treat as the most critical to lock down. I see nothing wrong with keeping IPA in that role.

What do you think?


_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to