On 05/28/2015 10:02 AM, Jan Cholasta wrote: > Dne 28.5.2015 v 09:45 Christian Heimes napsal(a): >> On 2015-05-28 07:32, Jan Cholasta wrote: >>> Dne 27.5.2015 v 16:01 Christian Heimes napsal(a): >>>> On 2015-05-27 15:51, Nathaniel McCallum wrote: >>>>> As I understand the problem, there is an assumption that an optional >>>>> component has a distinct service to start and stop. That is not the >>>>> case here. This is just new config for apache. >>>> >>>> More details: >>>> >>>> The KDC Proxy uses the same Apache instance as FreeIPAs Web GUI and >>>> Tomcat. There is no extra service involved. The switch just decides if >>>> https://ipa.example.org/KdcProxy acts as a MS-KKDCP end point or returns >>>> a 404 error. >>> >>> FYI Tomcat does not use the same Apache instance, the Apache instance is >>> configured to proxy requests to Tomcat. >>> >>> If the IPA KDC proxy package is not installed on a replica, then going >>> to /KdcProxy will return 404, right? Why is an additional switch >>> necessary then? >> >> The python-kdcproxy package is a new dependency for the freeipa-server >> package. It will always get installed with the server. > > Why? None of the IPA core functionality depends on it, so it should be > optional. Also the overall trend in IPA is to have everything in subpackages.
Do not look at it as a separate component. It is mostly just a new transport for Kerberos. FreeIPA already provides Kerberos via TCP and UDP. This is a third transport - HTTP. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code