On 2015-05-29 08:07, Nathaniel McCallum wrote: > On Fri, 2015-05-29 at 08:02 +0200, Jan Cholasta wrote: >> Dne 28.5.2015 v 16:48 Nathaniel McCallum napsal(a): >>> On Thu, 2015-05-28 at 16:34 +0200, Christian Heimes wrote: >>>> Jan has suggested to ipaConfigString=kdcProxyEnabled in >>>> cn=KDC,cn=$FQDN,cn=masters,cn=ipa,cn=etc instead of >>>> ipaConfigString=enabledService in >>>> cn=KDCPROXY,cn=$FQDN,cn=masters,cn=ipa,cn=etc. It makes sense to >>>> me. >>>> After all MS-KKDCP is just another transport for the KDC.  >>> >>> There may be a security concern here if we aren't careful. I think >>> I'm >>> in favor of KDCPROXY since it is a different application. >> >> What concern would that be? It has been already established that KDC >> proxy is not a different application, but rather a subcomponent of >> KDC >> in the other thread. > > Accidental exposure of something else in > cn=KDC,cn=$FQDN,cn=masters,cn=ipa,cn=etc. My fear comes from the fact > that in order to make this work we have to expose stuff in > cn=KDC,cn=$FQDN,cn=masters,cn=ipa,cn=etc to apache. These kind of cross > -domain security allowances always raises red flags for me.
I don't need read permission for all ipaConfigString attributes. In fact search and compare for (ipaConfigString=kdcProxyEnabled) is just about enough. Of course I have to name the permission differently. But that is the least of my problems. :) Your key master, Christian
Description: OpenPGP digital signature
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code