Dne 28.5.2015 v 13:56 Christian Heimes napsal(a):
On 2015-05-28 13:30, Jan Cholasta wrote:
Dne 28.5.2015 v 12:53 Christian Heimes napsal(a):
On 2015-05-28 12:46, Martin Kosek wrote:
I am fine with this too. So if there is not another major
disagreement, let us
start with enabling KDCPROXY by default during upgrade/install, the
new ACI and
the per-replica standard configuration.

API CLI/UI can come later (4.2.x or 4.3).

LGTM, too.

How should the new ACI work? I see two possible ways:

1) Allow compare/search for ipaConfigString=enabledService for everybody:


3.0; acl "Compare enabledService access to masters"; allow(search,
compare) userdn = "ldap:///all";;)

2) Create a new permission, assign it to all HTTP principals and allow
read, compare and search for all ipaConfigString attributes.

For the second way I need somebody to walk me through the permission and
role system of FreeIPA.


So, will it be a separate component with its own freeipa-server-kdcproxy
subpackage and installer or will it be a sub-component of KDC (as Martin
suggested) and part of the core freeipa-server package?

For now I'm in favor of a sub-component as part of the freeipa-server

OK, then I'm fine with ipa-kdcproxy-manage, but instead of adding a new service entry for KDC proxy, you can just add a flag to the KDC service entry, like ipaConfigString=kdcProxyEnabled.

Jan Cholasta

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to