On 2015-05-28 13:29, Martin Basti wrote:
> On 28/05/15 12:53, Christian Heimes wrote:
>> On 2015-05-28 12:46, Martin Kosek wrote:
>>> I am fine with this too. So if there is not another major disagreement, let 
>>> us
>>> start with enabling KDCPROXY by default during upgrade/install, the new ACI 
>>> and
>>> the per-replica standard configuration.
>>> API CLI/UI can come later (4.2.x or 4.3).
>> LGTM, too.
>> How should the new ACI work? I see two possible ways:
>> 1) Allow compare/search for ipaConfigString=enabledService for everybody:
>> (targetfilter="(ipaConfigString=enabledService)")(targetattr="ipaConfigString")(version
>> 3.0; acl "Compare enabledService access to masters"; allow(search,
>> compare) userdn = "ldap:///all";;)
>> 2) Create a new permission, assign it to all HTTP principals and allow
>> read, compare and search for all ipaConfigString attributes.
>> For the second way I need somebody to walk me through the permission and
>> role system of FreeIPA.
> 3) Or we can create a new keytab for KDC proxy, and add permission only
> for this service

The new keytab must be readable by the Apache process.Therefore a new
keytab doesn't give us extra security. It separates the kdcproxy service
from the IPA webgui. Is that your goal?


Attachment: signature.asc
Description: OpenPGP digital signature

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to