On 2015-06-17 18:09, Nathaniel McCallum wrote:
> * There is a new permission: Read IPA Masters KDC Proxy. Is this
> necessary. Can't the config be world-readable and admin writable? There
> is no extra security in hiding this attribute. This also completely
> removes the need for a keytab since anonymous binding can be used. This
> also, I believe, removes the need for a service.

I brought up your suggestion in today's IPA devel meeting. Simo
explained that anonymous binding might not be available. Some customers
disable it on their systems. I'd have to find yet another way to
authenticate, e.g. using the user account. That would only work locally,

Let's go ahead with my current approach. It's implemented and I have
tested upgrade and refresh installation a couple of times, too.


Attachment: signature.asc
Description: OpenPGP digital signature

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to