Hello, thanks you for your input. The former thread has 58 messages in total. Since last Friday we have came to an agreement in most points. I like to some up our decisions and focus on some minor details.
decisions --------- python-kdcproxy will be installed as a dependency of freeipa-server. There won't be a separate freeipa-server-kdcproxy package. That may or may not change in the future. The decision is out of scope for 4.2.0.  KDC proxy support will be enabled by default. The config files and LDAP settings will be created by ipa-server-install, ipa-server-upgrade and ipa-replica-install. The enabled/disabled switch will be stored per-replica in the cn=masters,cn=ipa,cn=etc tree. An API and CLI tool for management is postponed.  For now we settle for some doc examples that use the ipa-ldap-updater as suggested by Alex.  open for discussion ------------------- Jan has suggested to ipaConfigString=kdcProxyEnabled in cn=KDC,cn=$FQDN,cn=masters,cn=ipa,cn=etc instead of ipaConfigString=enabledService in cn=KDCPROXY,cn=$FQDN,cn=masters,cn=ipa,cn=etc. It makes sense to me. After all MS-KKDCP is just another transport for the KDC.  Martin Basti suggested a different keytab and principal for kdcproxy.  The keytab is only required for GSSAPI bind to lookup the state of the enabled/disabled switch. The current patch uses the same keytab as webgui. A new principal separates kdcproxy more cleanly and allows for fine-grained ACIs. It is also more future proof. In the future we may want to move kdcproxy from an Apache WSGI app to a separate service. A dedicated Twisted or asyncio daemon could handle more load. A separate keytab is easy to implement, too. I looked at the code in HTTPInstance.__create_http_keytab(). For the ACI I plan to add a new permission 'System: Read IPA Config String' and make the principal a direct memberOf of it. We don't have service roles yet. cn=roles,cn=accounts look like end user roles to me. The new ACI in cn=masters,cn=ipa,cn=etc will grant read, search and compare permission: (targetfilter = "(objectClass=nsContainer)")(targetattr = "cn || objectClass || ipaConfigString")(version 3.0; acl "Read IPA Config String"; allow (read, search, compare) groupdn = "ldap:///cn=System: Read IPA Config String,cn=permissions,cn=pbac,dc=ipa,dc=example";) I should be able to modify and test my patch in a matter of a couple of hours. Christian  http://www.redhat.com/archives/freeipa-devel/2015-May/msg00535.html  http://www.redhat.com/archives/freeipa-devel/2015-May/msg00555.html  http://www.redhat.com/archives/freeipa-devel/2015-May/msg00533.html  http://www.redhat.com/archives/freeipa-devel/2015-May/msg00543.html  http://www.redhat.com/archives/freeipa-devel/2015-May/msg00539.html
Description: OpenPGP digital signature
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code