On Fri, 2015-05-22 at 12:24 +0200, Christian Heimes wrote:
> Here is what I have so far:
> 1) The FreeIPA webui already depends on Apache and mod_wsgi. KDC
> will run from the same Apache HTTPD instance but it will use a
> mod_wsgi daemon configuration. A second WSGI daemon is easily
> and allows us to tune the daemon for KDC proxy's needs. FreeIPA is
> mounted at /ipa, KDC Proxy will be available at /KdcProxy or /kdc.
"The URI uses the virtual directory /KdcProxy unless otherwise
Also, the proxy should be available over both HTTP and HTTPS.
> 3) An administrator must be able to enable/disable the new feature.
> state of the switch will be read when Apache is started or reloaded.
> feature must be configurable for each replica, too. A WSGI wrapper
> read the setting from ipaConfigString=enabledService in
> cn=KDCPROXY,cn=$FQDN,cn=masters,cn=ipa,cn=etc. When the feature is
> disabled, it will reply with 404 Not Found error.
I prefer enabled by default unless there is some performance or
security consideration. Mere proxying isn't a security consideration
since we already expose the KDC by default.
> 4) In order to read the state of the switch, the WSGI script needs to
> able to connect to LDAP. I can use Apache's / FreeIPA webui's keytab
> get a ticket for GSSAPI bind. However Apache has no permission to
> ipaConfigStrings in the masters subtree. A new role/permission and
> is required here.
This is, indeed, a security problem. Do we have a strong use case for
per-replica control? If not, let's just do a single global control
since we can easily make this globally readable.
> 5) python-kdcproxy can read its configuration from multiple places.
> performance reasons we don't want DNS lookups. Therefore our proxy
> instance will only use libkrb5.so to read a list of KDCs, kpasswd and
> admin servers from /etc/krb5.conf.
> Open questions / issues
> For 3) and 4) the Apache HTTP principal must be able to read or at
> compare the state of the switch. The ACIs in the masters tree forbid
> access to ipaConfigString entries except for principals with 'System:
> Read IPA Masters' permission. Martin Basti and Petr Spacek have
> suggested that I introduce a new permission for the task. I haven't
> figured out how to configure and assign a new permission. Right now
> experimental code uses this ACI:
> 3.0; acl "Compare enabledService access to masters"; allow(search,
> compare) userdn = "ldap:///all";)
> I found ipaserver.install.service.Service and SimpleServiceInstance
> the FreeIPA sources. As far as I understand the use of the classes,
> are used in the installers to configure service instances. However
> kdcproxy service instance is going to be special. It has no 1:1
> to a system service. Instead it shares a system service (Apache
> with the HttpInstance for FreeIPA's webui. AFAIK no other service
> instance has such a relation.
> Finally I haven't figured out the best way to configure the instance.
> admin should be able to enable / disable KDC proxy. Should I write a
> script or a ipa plugin for the job?
IMHO, use a global switch and put the control in the ipa config plugin.
We shouldn't over-engineer this.
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code