On 05/26/2015 04:17 PM, Christian Heimes wrote:
On 2015-05-26 15:57, Nathaniel McCallum wrote:
/KdcProxy
"The URI uses the virtual directory /KdcProxy unless otherwise
configured."
https://msdn.microsoft.com/en-us/library/hh553891.aspx
Also, the proxy should be available over both HTTP and HTTPS.
Easy-peasy! I'm using /KdcProxy already and the default configuration
allows HTTP and HTTPS requests.
Just make sure it works with the IPA might https rewrite rule:
# Redirect to the secure port if not displaying an error or retrieving
# configuration.
RewriteCond %{SERVER_PORT} !^443$$
RewriteCond %{REQUEST_URI} !^/ipa/(errors|config|crl)
RewriteCond %{REQUEST_URI}
!^/ipa/[^\?]+(\.js|\.css|\.png|\.gif|\.ico|\.woff|\.svg|\.ttf|\.eot)$$
RewriteRule ^/ipa/(.*) https://$FQDN/ipa/$$1 [L,R=301,NC]
I prefer enabled by default unless there is some performance or
security consideration. Mere proxying isn't a security consideration
since we already expose the KDC by default.
My latest patch enables the proxy by default.
This is, indeed, a security problem. Do we have a strong use case for
per-replica control? If not, let's just do a single global control
since we can easily make this globally readable.
Martin and Petr both suggested per-replica configuration of the new
feature. Petr has argued it is a future-proof design. It will make
containerization of FreeIPA simpler as no schema change is required later.
I discussed this briefly with Nathaniel, if this is sufficiently easy/doable, I
am fine with it. If not, then adding the global control may be the way for
FreeIPA 4.2 GA and implement the per-replica control later.
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
