diff options
| author | Christian Heimes <cheimes@redhat.com> | 2015-06-23 17:01:00 +0200 |
|---|---|---|
| committer | Petr Vobornik <pvoborni@redhat.com> | 2015-06-24 10:43:58 +0200 |
| commit | 495da412f155603c02907187c21dd4511281df2c (patch) | |
| tree | 8bc25d341bfdfb48673fbc24ba3f538ef87b6d41 /install/share | |
| parent | 49d708f00fd13903dbd96193aac2c608e3512398 (diff) | |
| download | freeipa-495da412f155603c02907187c21dd4511281df2c.tar.gz freeipa-495da412f155603c02907187c21dd4511281df2c.tar.xz freeipa-495da412f155603c02907187c21dd4511281df2c.zip | |
Provide Kerberos over HTTP (MS-KKDCP)
Add integration of python-kdcproxy into FreeIPA to support the MS
Kerberos KDC proxy protocol (MS-KKDCP), to allow KDC and KPASSWD
client requests over HTTP and HTTPS.
- freeipa-server now depends on python-kdcproxy >= 0.3. All kdcproxy
dependencies are already satisfied.
- The service's state is configured in cn=KDC,cn=$FQDN,cn=masters,cn=ipa,
cn=etc,$SUFFIX. It's enabled, when ipaConfigString=kdcProxyEnabled is
present.
- The installers and update create a new Apache config file
/etc/ipa/kdcproxy/ipa-kdc-proxy.conf that mounts a WSGI app on
/KdcProxy. The app is run inside its own WSGI daemon group with
a different uid and gid than the webui.
- A ExecStartPre script in httpd.service symlinks the config file to
/etc/httpd/conf.d/ iff ipaConfigString=kdcProxyEnabled is present.
- The httpd.service also sets KDCPROXY_CONFIG=/etc/ipa/kdcproxy.conf,
so that an existing config is not used. SetEnv from Apache config does
not work here, because it doesn't set an OS env var.
- python-kdcproxy is configured to *not* use DNS SRV lookups. The
location of KDC and KPASSWD servers are read from /etc/krb5.conf.
- The state of the service can be modified with two ldif files for
ipa-ldap-updater. No CLI script is offered yet.
https://www.freeipa.org/page/V4/KDC_Proxy
https://fedorahosted.org/freeipa/ticket/4801
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Diffstat (limited to 'install/share')
| -rw-r--r-- | install/share/Makefile.am | 3 | ||||
| -rw-r--r-- | install/share/kdcproxy-disable.uldif | 3 | ||||
| -rw-r--r-- | install/share/kdcproxy-enable.uldif | 6 | ||||
| -rw-r--r-- | install/share/kdcproxy.conf | 4 |
4 files changed, 16 insertions, 0 deletions
diff --git a/install/share/Makefile.am b/install/share/Makefile.am index 53f0ecf01..80e959a75 100644 --- a/install/share/Makefile.am +++ b/install/share/Makefile.am @@ -84,6 +84,9 @@ app_DATA = \ sasl-mapping-fallback.ldif \ schema-update.ldif \ vault.update \ + kdcproxy.conf \ + kdcproxy-enable.uldif \ + kdcproxy-disable.uldif \ $(NULL) EXTRA_DIST = \ diff --git a/install/share/kdcproxy-disable.uldif b/install/share/kdcproxy-disable.uldif new file mode 100644 index 000000000..bfc0b72c1 --- /dev/null +++ b/install/share/kdcproxy-disable.uldif @@ -0,0 +1,3 @@ +# Disable MS-KKDCP protocol for the current host +dn: cn=KDC,cn=$FQDN,cn=masters,cn=ipa,cn=etc,$SUFFIX +remove:ipaConfigString:kdcProxyEnabled diff --git a/install/share/kdcproxy-enable.uldif b/install/share/kdcproxy-enable.uldif new file mode 100644 index 000000000..92297152f --- /dev/null +++ b/install/share/kdcproxy-enable.uldif @@ -0,0 +1,6 @@ +# Enable MS-KKDCP protocol for the current host +dn: cn=KDC,cn=$FQDN,cn=masters,cn=ipa,cn=etc,$SUFFIX +default:objectClass: nsContainer +default:objectClass: ipaConfigObject +default:cn: KDC +add: ipaConfigString: kdcProxyEnabled diff --git a/install/share/kdcproxy.conf b/install/share/kdcproxy.conf new file mode 100644 index 000000000..530703d4a --- /dev/null +++ b/install/share/kdcproxy.conf @@ -0,0 +1,4 @@ +[global] +configs = mit +use_dns = false + |