On 05/22/2015 01:17 PM, Christian Heimes wrote:
On 2015-05-22 13:02, Martin Kosek wrote:
The original proposal was to do it globally in cn=config. But if it is
about to be stored in the cn=masters, per-replica, this looks as the
My first proposal used cn=ipaConfig,cn=etc because it was the first
place I found. It took me a bit to find and understand the other
subtrees in cn=etc. Other developers have pointed me to the cn=masters
What API did you plan using, for enabling/disabling service? If we go
the general IPA service way, should we extend the planned service-* API
that Petr Vobornik announced in
and have command like serverservice-mod ipa.server kdcproxy --enabled=0?
I don't have concrete plans for an enabling/disabling API yet. It's one
of the questions I have raised at the end of my mail. I'm going to study
Petr Vobornik's mail now.
In order to disable or enable KDC proxy, the switch in LDAP must be
switched and Apache must be reloaded or restarted. The WSGI wrapper does
NOT poll the state of the switch.
Actually the service part of "IPA servers" is not covered in the
proposal. The proposal just says that it can be added later.
There will be question if it should even be called "services". Maybe
capabilities would be better term given that KDC Proxy is not a
4) In order to read the state of the switch, the WSGI script needs to be
able to connect to LDAP. I can use Apache's / FreeIPA webui's keytab to
get a ticket for GSSAPI bind. However Apache has no permission to read
ipaConfigStrings in the masters subtree. A new role/permission and ACI
is required here.
There is already a permission 'System: Read IPA Masters' and privilege
"IPA Masters Readers" defined, in
ipaserver/install/plugins/update_managed_permissions.py. Can this be used?
The permission sounds too broad to me. There is probably a reason why
all ipaConfigStrings entries are read-protected. I really just need
search (and maybe compare) for ipaConfigString=enabledService.
Thanks for your feedback,
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code