On Thu, 28 May 2015, Christian Heimes wrote:
On 2015-05-28 12:10, Petr Spacek wrote:
I see. My question is - if we go this way, what is then the reasonable subset
configuration functionality realistic for FreeIPA 4.2 GA? (As we want this
feature in for 4.2). Is ipa-kdcproxy-manage doable?

What is the proposed API here?

ipa-kdcproxy-manage list
ipa-kdcproxy-manage enable <server>
ipa-kdcproxy-manage disable <server>

I believe that for 4.2 it is perfectly enough to have per-replica switch in
LDAP (enabled by default) and to provide ldapmodify command in docs. User
interface can be polished later if we get the design right.

For Petr proposal to work we only need an additional ACI and maybe an
additional permission. I'm using Apache's keytab for LDAP bin. The
principal has no permission to read or search ipaConfigString attributes
in the cn=masters tree.

A ipa-kdcproxy-manage is more work. I'd have to write the script and
implement a HTTP interface to reload all settings.
I'm fine with that for 4.2. We can always add an example of
enable/disable via ipa-ldap-updater tool which should be simplest one
for admins as it includes template values for domain and IPA master
hosts. See https://vda.li/en/posts/2015/01/02/playing-with-freeipa-ipa-ldap-updater/ for examples, this one would be similar to how weak enctypes are enabled:

# 20-kdcproxy-enable-on-this-master.update
dn: cn=KDCPROXY,cn=$FQDN,cn=masters,cn=ipa,cn=etc,$SUFFIX

# 20-kdcproxy-disable-on-this-master.update
dn: cn=KDCPROXY,cn=$FQDN,cn=masters,cn=ipa,cn=etc,$SUFFIX

/ Alexander Bokovoy

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to