From 495da412f155603c02907187c21dd4511281df2c Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Tue, 23 Jun 2015 17:01:00 +0200
Subject: Provide Kerberos over HTTP (MS-KKDCP)

Add integration of python-kdcproxy into FreeIPA to support the MS
Kerberos KDC proxy protocol (MS-KKDCP), to allow KDC and KPASSWD
client requests over HTTP and HTTPS.

- freeipa-server now depends on python-kdcproxy >= 0.3. All kdcproxy
  dependencies are already satisfied.
- The service's state is configured in cn=KDC,cn=$FQDN,cn=masters,cn=ipa,
  cn=etc,$SUFFIX. It's enabled, when ipaConfigString=kdcProxyEnabled is
  present.
- The installers and update create a new Apache config file
  /etc/ipa/kdcproxy/ipa-kdc-proxy.conf that mounts a WSGI app on
  /KdcProxy. The app is run inside its own WSGI daemon group with
  a different uid and gid than the webui.
- A ExecStartPre script in httpd.service symlinks the config file to
  /etc/httpd/conf.d/ iff ipaConfigString=kdcProxyEnabled is present.
- The httpd.service also sets KDCPROXY_CONFIG=/etc/ipa/kdcproxy.conf,
  so that an existing config is not used. SetEnv from Apache config does
  not work here, because it doesn't set an OS env var.
- python-kdcproxy is configured to *not* use DNS SRV lookups. The
  location of KDC and KPASSWD servers are read from /etc/krb5.conf.
- The state of the service can be modified with two ldif files for
  ipa-ldap-updater. No CLI script is offered yet.

https://www.freeipa.org/page/V4/KDC_Proxy

https://fedorahosted.org/freeipa/ticket/4801

Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
---
 install/share/Makefile.am            | 3 +++
 install/share/kdcproxy-disable.uldif | 3 +++
 install/share/kdcproxy-enable.uldif  | 6 ++++++
 install/share/kdcproxy.conf          | 4 ++++
 4 files changed, 16 insertions(+)
 create mode 100644 install/share/kdcproxy-disable.uldif
 create mode 100644 install/share/kdcproxy-enable.uldif
 create mode 100644 install/share/kdcproxy.conf

(limited to 'install/share')

diff --git a/install/share/Makefile.am b/install/share/Makefile.am
index 53f0ecf01..80e959a75 100644
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -84,6 +84,9 @@ app_DATA =				\
 	sasl-mapping-fallback.ldif	\
 	schema-update.ldif		\
 	vault.update			\
+	kdcproxy.conf			\
+	kdcproxy-enable.uldif		\
+	kdcproxy-disable.uldif		\
 	$(NULL)
 
 EXTRA_DIST =				\
diff --git a/install/share/kdcproxy-disable.uldif b/install/share/kdcproxy-disable.uldif
new file mode 100644
index 000000000..bfc0b72c1
--- /dev/null
+++ b/install/share/kdcproxy-disable.uldif
@@ -0,0 +1,3 @@
+# Disable MS-KKDCP protocol for the current host
+dn: cn=KDC,cn=$FQDN,cn=masters,cn=ipa,cn=etc,$SUFFIX
+remove:ipaConfigString:kdcProxyEnabled
diff --git a/install/share/kdcproxy-enable.uldif b/install/share/kdcproxy-enable.uldif
new file mode 100644
index 000000000..92297152f
--- /dev/null
+++ b/install/share/kdcproxy-enable.uldif
@@ -0,0 +1,6 @@
+# Enable MS-KKDCP protocol for the current host
+dn: cn=KDC,cn=$FQDN,cn=masters,cn=ipa,cn=etc,$SUFFIX
+default:objectClass: nsContainer
+default:objectClass: ipaConfigObject
+default:cn: KDC
+add: ipaConfigString: kdcProxyEnabled
diff --git a/install/share/kdcproxy.conf b/install/share/kdcproxy.conf
new file mode 100644
index 000000000..530703d4a
--- /dev/null
+++ b/install/share/kdcproxy.conf
@@ -0,0 +1,4 @@
+[global]
+configs = mit
+use_dns = false
+
-- 
cgit