Dne 29.5.2015 v 08:07 Nathaniel McCallum napsal(a):
On Fri, 2015-05-29 at 08:02 +0200, Jan Cholasta wrote:
Dne 28.5.2015 v 16:48 Nathaniel McCallum napsal(a):
On Thu, 2015-05-28 at 16:34 +0200, Christian Heimes wrote:
Jan has suggested to ipaConfigString=kdcProxyEnabled in
cn=KDC,cn=$FQDN,cn=masters,cn=ipa,cn=etc instead of
ipaConfigString=enabledService in
cn=KDCPROXY,cn=$FQDN,cn=masters,cn=ipa,cn=etc. It makes sense to
me.
After all MS-KKDCP is just another transport for the KDC. [4]


There may be a security concern here if we aren't careful. I think
I'm
in favor of KDCPROXY since it is a different application.

What concern would that be? It has been already established that KDC
proxy is not a different application, but rather a subcomponent of
KDC
in the other thread.

Accidental exposure of something else in
cn=KDC,cn=$FQDN,cn=masters,cn=ipa,cn=etc. My fear comes from the fact
that in order to make this work we have to expose stuff in
cn=KDC,cn=$FQDN,cn=masters,cn=ipa,cn=etc to apache. These kind of cross
-domain security allowances always raises red flags for me.

Well, the only exposed thing would be ipaConfigString, which always has an "enabledService" value for KDC and optionally would have "kdcProxyEnabled" value if KDC proxy is enabled. IMO if someone wants to put something sensitive in there, they should use a different attribute anyway.


Don't cross the streams... it would be bad. :)

Unless Zuul comes into the picture.


Nathaniel



--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to