On 2015-06-17 18:09, Nathaniel McCallum wrote: > On Fri, 2015-06-12 at 17:58 -0400, Adam Young wrote: >> On 06/12/2015 03:40 PM, Nathaniel McCallum wrote: >>> It doesn't apply again. >>> >>> On Tue, 2015-06-09 at 15:55 +0200, Christian Heimes wrote: >>>> On 2015-05-27 15:16, Christian Heimes wrote: >>>>> Hello, >>>>> >>>>> here is my first patch for FreeIPA. The patch integrates python >>>>> -kdcproxy >>>>> for MS-KKDCP support (aka Kerberos over HTTPS). >>>>> >>>>> https://www.freeipa.org/page/V4/KDC_Proxy >>>>> >>>>> Ticket: https://fedorahosted.org/freeipa/ticket/4801 >>>> freeipa-cheimes-0001-2-Provide-Kerberos-over-HTTP-MS-KKDCP.patch >>>> doesn't >>>> apply anymore. The new patch is based on the current master. >>>> >>>> Christian >>>> >>>> -- >>>> Manage your subscription for the Freeipa-devel mailing list: >>>> https://www.redhat.com/mailman/listinfo/freeipa-devel >>>> Contribute to FreeIPA: >>>> http://www.freeipa.org/page/Contribute/Code
Thanks Nathaniel, quick review before I have to leave again. A couple of Red Hatters from Brno just arrived at the hotel. I'll grab a beer with them. > I'm reviewing Adam's version of Christian's patch. > > * FreeIPA should require python-kdcproxy >= 0.3 considering there are > lots of fixes related to this project. We need to package it first, when I'm back from NHO. I've started to study the packaging docs in the engineering section. Maybe you or somebody else can walk me through the process next week? > * KDC Proxy path is not configurable. This probably needs to be noted > in documentation somewhere when mentioning the default path. LGTM > * Has OID 2.16.840.1.1137220.127.116.11.28 been officially claimed? How? I thought 2.16.840.1.113718.104.22.168 is in our own OID space and we don't have to register it with IANA. Or are you referring to another registry? > * There is a new permission: Read IPA Masters KDC Proxy. Is this > necessary. Can't the config be world-readable and admin writable? There > is no extra security in hiding this attribute. This also completely > removes the need for a keytab since anonymous binding can be used. This > also, I believe, removes the need for a service. That would make the code simpler and shorter too. I'm +0 on the proposal. > * The creation of the kdcproxy user is trailed by "exit 0". Why? https://fedoraproject.org/wiki/Packaging:UsersAndGroups recommends "exit 0". > * replicainstall.py has trailing whitespace I'll address it with my next patch.
Description: OpenPGP digital signature
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code