Wouldn’t that also expose the main web UI, and IPA commands? Seems like a much larger attack surface.
On Nov 11, 2019, at 1:27 PM, Alex Corcoles <[email protected]<mailto:[email protected]>> wrote: On Mon, Nov 11, 2019 at 5:45 PM Charles Hedrick <[email protected]<mailto:[email protected]>> wrote: I use Kerberos at home. So do a couple of faculty. I have a Kerberos https: proxy set up on one of our public web servers. This is less than ideal, as it requires installing separate Kerberos software for both Mac and Windows. The Kerberos protocol is standardized across OSs, but not the proxy support (nor the OTP support). Oh, FreeIPA runs a proxy in the standard setup (see /etc/httpd/conf.d/ipa-kdc-proxy.conf ), so I suppose clientwise if you just expose tcp:443 to the Internet things should just work.
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
