On Fri, 2011-12-02 at 09:46 -0500, Rob Crittenden wrote: > Simo Sorce wrote: > > On Fri, 2011-12-02 at 08:22 -0500, Rob Crittenden wrote: > >> Simo Sorce wrote: > >>> On Wed, 2011-11-30 at 17:33 -0500, John Dennis wrote: > >>>> Comments? Suggestions? > >>>> > >>> Sorry for the late reply. > >>> > >>> First of all, excellent write-up John, it is very comprehensive and lays > >>> down things very clearly. > >>> > >>> I agree that using ipa:ipa for memcached and wsgi would be a better > >>> proposition for us. Although we need to explore how this would affect > >>> credential caches created by mod_auth_kerb and our ability to use them, > >>> which is crucial*. > >> > >> The krb ccache will not be readable by ipa:ipa. > > > > I feared that, although maybe we can do some trick with default ACLs to > > make them readable to the 'ipa' user. > > Do we have the option to re-implement SPNEGO in python and stop using > > mod_auth_kerb ? > > > > Simo. > > > > We last looked at this way back in early v1 so it may be possible now, > it wasn't then. This would be a long-term effort.
Yep, medium/long term. > Whatever we do we definitely don't want 389-ds to be running as the same > user as the ipa framework. Breaking into the web server via our app > would mean filesystem access to the raw LDAP database. Totally agree, ipa:ipa should only be used for wsgi/memcached at most. Certainly not other services we currently have. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-devel mailing list Freeipaemail@example.com https://www.redhat.com/mailman/listinfo/freeipa-devel