On Thu, 28 May 2015, Martin Kosek wrote:
On 05/28/2015 10:02 AM, Jan Cholasta wrote:
Dne 28.5.2015 v 09:45 Christian Heimes napsal(a):
On 2015-05-28 07:32, Jan Cholasta wrote:
Dne 27.5.2015 v 16:01 Christian Heimes napsal(a):
On 2015-05-27 15:51, Nathaniel McCallum wrote:
As I understand the problem, there is an assumption that an optional
component has a distinct service to start and stop. That is not the
case here. This is just new config for apache.
The KDC Proxy uses the same Apache instance as FreeIPAs Web GUI and
Tomcat. There is no extra service involved. The switch just decides if
https://ipa.example.org/KdcProxy acts as a MS-KKDCP end point or returns
a 404 error.
FYI Tomcat does not use the same Apache instance, the Apache instance is
configured to proxy requests to Tomcat.
If the IPA KDC proxy package is not installed on a replica, then going
to /KdcProxy will return 404, right? Why is an additional switch
The python-kdcproxy package is a new dependency for the freeipa-server
package. It will always get installed with the server.
Why? None of the IPA core functionality depends on it, so it should be
optional. Also the overall trend in IPA is to have everything in subpackages.
Do not look at it as a separate component. It is mostly just a new transport
for Kerberos. FreeIPA already provides Kerberos via TCP and UDP. This is a
third transport - HTTP.
See my other response. With changes in
we'll need to manage _kerberos.$DOMAIN URI DNS record (not just TXT one
like now) to explicitly report where the proxies are located. This goes
beyond just global switch in LDAP and requires ipa-kdcproxy-manage tool.
/ Alexander Bokovoy
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code