> For a read-only KDC we need to investigate what's the better solution.
> There are many ways we can handle the issue, one of the simplest is
> probably to allow the RO KDC to use a special LDAP Extended operation
> against a full R/W server to get the user keys to sign, authenticating
> with a special R/O KDC principal. We can also investigate how MS does
> internal forwarding and do something similar as I suspect that's
> something samba4-RODC will want to implement too, so we could share some
> of the development burden there.
I do not think it is a good idea for the remote RO KDC to go back to
the main datacenter on every authentication without some sort of
caching. This is why I think that some kind of SSSD integration might
be due. If RO KDC would just pass the authentication to SSSD in some
way and SSSD would do the caching in case the office gets offline. I
understand that authhub as is will not work as the client sends time
stamp encrypted with password and SSSD needs plain text password as
credential. I do not know if there is a way to solve this without
actually sending the password in the tunnel. IMO it is more important
to make sure that remote office can have uninterrupted operation than
to worry about the password being sent inside the encrypted tunnel. It
is something that deployment should decide and weight risks against
Sr. Engineering Manager IPA project,
Red Hat Inc.
Looking to carve out IT costs?
Freeipa-devel mailing list