thanks you for your input. The former thread has 58 messages in total.
Since last Friday we have came to an agreement in most points. I like to
some up our decisions and focus on some minor details.


python-kdcproxy will be installed as a dependency of freeipa-server.
There won't be a separate freeipa-server-kdcproxy package. That may or
may not change in the future. The decision is out of scope for 4.2.0. [1]

KDC proxy support will be enabled by default. The config files and LDAP
settings will be created by ipa-server-install, ipa-server-upgrade and

The enabled/disabled switch will be stored per-replica in the
cn=masters,cn=ipa,cn=etc tree. An API and CLI tool for management is
postponed. [2] For now we settle for some doc examples that use the
ipa-ldap-updater as suggested by Alex. [3]

open for discussion

Jan has suggested to ipaConfigString=kdcProxyEnabled in
cn=KDC,cn=$FQDN,cn=masters,cn=ipa,cn=etc instead of
ipaConfigString=enabledService in
cn=KDCPROXY,cn=$FQDN,cn=masters,cn=ipa,cn=etc. It makes sense to me.
After all MS-KKDCP is just another transport for the KDC. [4]

Martin Basti suggested a different keytab and principal for kdcproxy.
[5] The keytab is only required for GSSAPI bind to lookup the state of
the enabled/disabled switch. The current patch uses the same keytab as
A new principal separates kdcproxy more cleanly and allows for
fine-grained ACIs. It is also more future proof. In the future we may
want to move kdcproxy from an Apache WSGI app to a separate service. A
dedicated Twisted or asyncio daemon could handle more load.
A separate keytab is easy to implement, too. I looked at the code in

For the ACI I plan to add a new permission 'System: Read IPA Config
String' and make the principal a direct memberOf of it. We don't have
service roles yet. cn=roles,cn=accounts look like end user roles to me.
The new ACI in cn=masters,cn=ipa,cn=etc will grant read, search and
compare permission:

(targetfilter = "(objectClass=nsContainer)")(targetattr = "cn ||
objectClass || ipaConfigString")(version 3.0; acl "Read IPA Config
String"; allow (read, search, compare) groupdn = "ldap:///cn=System:
Read IPA Config String,cn=permissions,cn=pbac,dc=ipa,dc=example";)

I should be able to modify and test my patch in a matter of a couple of


[1] http://www.redhat.com/archives/freeipa-devel/2015-May/msg00535.html
[2] http://www.redhat.com/archives/freeipa-devel/2015-May/msg00555.html
[3] http://www.redhat.com/archives/freeipa-devel/2015-May/msg00533.html
[4] http://www.redhat.com/archives/freeipa-devel/2015-May/msg00543.html
[5] http://www.redhat.com/archives/freeipa-devel/2015-May/msg00539.html

Attachment: signature.asc
Description: OpenPGP digital signature

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to