On 2015-05-28 12:10, Petr Spacek wrote: >> I see. My question is - if we go this way, what is then the reasonable subset >> configuration functionality realistic for FreeIPA 4.2 GA? (As we want this >> feature in for 4.2). Is ipa-kdcproxy-manage doable? >> >> What is the proposed API here? >> >> ipa-kdcproxy-manage list >> ipa-kdcproxy-manage enable <server> >> ipa-kdcproxy-manage disable <server> > > I believe that for 4.2 it is perfectly enough to have per-replica switch in > LDAP (enabled by default) and to provide ldapmodify command in docs. User > interface can be polished later if we get the design right.
For Petr proposal to work we only need an additional ACI and maybe an additional permission. I'm using Apache's keytab for LDAP bin. The principal has no permission to read or search ipaConfigString attributes in the cn=masters tree. A ipa-kdcproxy-manage is more work. I'd have to write the script and implement a HTTP interface to reload all settings. Christian
signature.asc
Description: OpenPGP digital signature
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
