On 2015-05-26 15:57, Nathaniel McCallum wrote:
> /KdcProxy
> "The URI uses the virtual directory /KdcProxy unless otherwise
> configured."
> https://msdn.microsoft.com/en-us/library/hh553891.aspx
> Also, the proxy should be available over both HTTP and HTTPS.

Easy-peasy! I'm using /KdcProxy already and the default configuration
allows HTTP and HTTPS requests.

> I prefer enabled by default unless there is some performance or
> security consideration. Mere proxying isn't a security consideration
> since we already expose the KDC by default.

My latest patch enables the proxy by default.

> This is, indeed, a security problem. Do we have a strong use case for
> per-replica control? If not, let's just do a single global control
> since we can easily make this globally readable.

Martin and Petr both suggested per-replica configuration of the new
feature. Petr has argued it is a future-proof design. It will make
containerization of FreeIPA simpler as no schema change is required later.


Attachment: signature.asc
Description: OpenPGP digital signature

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to