On 04/29/2015 09:09 AM, Martin Kosek wrote:
On 04/28/2015 05:42 PM, Martin Babinsky wrote:
The attached patches address https://fedorahosted.org/freeipa/ticket/4973 and
implement the solution proposed in Comment 2.

Please review the hell out of them.

Why did you split the work in 2 patches? It looks like you first did the first
approach of modifying httpd.service and then changed your mind and did the
ipa-httpd.service approach (which is what we agreed to).

I was thinking about it as a two distinct operations (modify existing httpd.service to use KRB5CCNAME and rename httpd.service to ipa-httpd.service). But I can merge them if needed.
Also, shouldn't ipa-httpd.service be contained in the package itself, like
ipa-dnskeysyncd and httpd.service masked during installation? Also, I do not
see any daemon-reload, so I am not sure if systemd would pick up the right
configuration in the first install.
Martin^2 told me that generating service file from template is evil, so I will put the full service file into init/systemd directory so that it is already present in /etc/systemd/system after rpm install.

Next, I was thinking what should be the ideal KRB5CCNAME for the HTTPD service.
You chose "/tmp/ipa-httpd.ccache", is it the best approach CCACHE type/path we
should use? This is mostly question to Simo, his mod_auth_gssapi will consume
the ccache.

I will ask Simo if there is some preferred way to name CCache files.

--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to