On Tue, Jun 18, 2013 at 10:37 AM, <[email protected]> wrote: > On Tuesday, June 18, 2013 5:36:30 AM UTC-7, Erik Dalén wrote: >> >> Seems like a decent alternative would be to just have a second >> webservice/on top of puppet that allows agents to authenticate with their >> kerberos token and authorize their SSL certificate request that way. That >> should be fairly easy to build with just some fiddling with mod auth kerb, >> apache configs and puppet auth.conf. >> > In our case the obvious external certificate signing service would be > Microsoft Certificate Services. However if we can pull off Kerberos > authentication then we do not need to deploy and maintain that service.
I have to say, in the presence of functional Kerberos infrastructure, I wouldn't want to operate a second, shadow, authentication system for an admin tool. Having two places to maintain security credentials is much worse than just having one. -- Daniel Pittman ⎋ Puppet Labs Developer – http://puppetlabs.com ♲ Made with 100 percent post-consumer electrons -- You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/puppet-dev. For more options, visit https://groups.google.com/groups/opt_out.
