On 2015-05-28 13:29, Martin Basti wrote: > On 28/05/15 12:53, Christian Heimes wrote: >> On 2015-05-28 12:46, Martin Kosek wrote: >>> I am fine with this too. So if there is not another major disagreement, let >>> us >>> start with enabling KDCPROXY by default during upgrade/install, the new ACI >>> and >>> the per-replica standard configuration. >>> >>> API CLI/UI can come later (4.2.x or 4.3). >> LGTM, too. >> >> How should the new ACI work? I see two possible ways: >> >> 1) Allow compare/search for ipaConfigString=enabledService for everybody: >> >> (targetfilter="(ipaConfigString=enabledService)")(targetattr="ipaConfigString")(version >> 3.0; acl "Compare enabledService access to masters"; allow(search, >> compare) userdn = "ldap:///all";;) >> >> 2) Create a new permission, assign it to all HTTP principals and allow >> read, compare and search for all ipaConfigString attributes. >> >> For the second way I need somebody to walk me through the permission and >> role system of FreeIPA. > > 3) Or we can create a new keytab for KDC proxy, and add permission only > for this service
The new keytab must be readable by the Apache process.Therefore a new keytab doesn't give us extra security. It separates the kdcproxy service from the IPA webgui. Is that your goal? Christian
signature.asc
Description: OpenPGP digital signature
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
