On 2015-05-26 15:57, Nathaniel McCallum wrote: > /KdcProxy > > "The URI uses the virtual directory /KdcProxy unless otherwise > configured." > > https://msdn.microsoft.com/en-us/library/hh553891.aspx > > Also, the proxy should be available over both HTTP and HTTPS.
Easy-peasy! I'm using /KdcProxy already and the default configuration allows HTTP and HTTPS requests. > I prefer enabled by default unless there is some performance or > security consideration. Mere proxying isn't a security consideration > since we already expose the KDC by default. My latest patch enables the proxy by default. > This is, indeed, a security problem. Do we have a strong use case for > per-replica control? If not, let's just do a single global control > since we can easily make this globally readable. Martin and Petr both suggested per-replica configuration of the new feature. Petr has argued it is a future-proof design. It will make containerization of FreeIPA simpler as no schema change is required later. Christian
signature.asc
Description: OpenPGP digital signature
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code