diff options
author | Christian Heimes <cheimes@redhat.com> | 2015-06-23 17:01:00 +0200 |
---|---|---|
committer | Petr Vobornik <pvoborni@redhat.com> | 2015-06-24 10:43:58 +0200 |
commit | 495da412f155603c02907187c21dd4511281df2c (patch) | |
tree | 8bc25d341bfdfb48673fbc24ba3f538ef87b6d41 /ipaplatform/base | |
parent | 49d708f00fd13903dbd96193aac2c608e3512398 (diff) | |
download | freeipa-495da412f155603c02907187c21dd4511281df2c.tar.gz freeipa-495da412f155603c02907187c21dd4511281df2c.tar.xz freeipa-495da412f155603c02907187c21dd4511281df2c.zip |
Provide Kerberos over HTTP (MS-KKDCP)
Add integration of python-kdcproxy into FreeIPA to support the MS
Kerberos KDC proxy protocol (MS-KKDCP), to allow KDC and KPASSWD
client requests over HTTP and HTTPS.
- freeipa-server now depends on python-kdcproxy >= 0.3. All kdcproxy
dependencies are already satisfied.
- The service's state is configured in cn=KDC,cn=$FQDN,cn=masters,cn=ipa,
cn=etc,$SUFFIX. It's enabled, when ipaConfigString=kdcProxyEnabled is
present.
- The installers and update create a new Apache config file
/etc/ipa/kdcproxy/ipa-kdc-proxy.conf that mounts a WSGI app on
/KdcProxy. The app is run inside its own WSGI daemon group with
a different uid and gid than the webui.
- A ExecStartPre script in httpd.service symlinks the config file to
/etc/httpd/conf.d/ iff ipaConfigString=kdcProxyEnabled is present.
- The httpd.service also sets KDCPROXY_CONFIG=/etc/ipa/kdcproxy.conf,
so that an existing config is not used. SetEnv from Apache config does
not work here, because it doesn't set an OS env var.
- python-kdcproxy is configured to *not* use DNS SRV lookups. The
location of KDC and KPASSWD servers are read from /etc/krb5.conf.
- The state of the service can be modified with two ldif files for
ipa-ldap-updater. No CLI script is offered yet.
https://www.freeipa.org/page/V4/KDC_Proxy
https://fedorahosted.org/freeipa/ticket/4801
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Diffstat (limited to 'ipaplatform/base')
-rw-r--r-- | ipaplatform/base/paths.py | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py index e6b191819..e847f93b5 100644 --- a/ipaplatform/base/paths.py +++ b/ipaplatform/base/paths.py @@ -49,6 +49,8 @@ class BasePathNamespace(object): ALIAS_CACERT_ASC = "/etc/httpd/alias/cacert.asc" ALIAS_PWDFILE_TXT = "/etc/httpd/alias/pwdfile.txt" HTTPD_CONF_D_DIR = "/etc/httpd/conf.d/" + HTTPD_IPA_KDCPROXY_CONF = "/etc/ipa/kdcproxy/ipa-kdc-proxy.conf" + HTTPD_IPA_KDCPROXY_CONF_SYMLINK = "/etc/httpd/conf.d/ipa-kdc-proxy.conf" HTTPD_IPA_PKI_PROXY_CONF = "/etc/httpd/conf.d/ipa-pki-proxy.conf" HTTPD_IPA_REWRITE_CONF = "/etc/httpd/conf.d/ipa-rewrite.conf" HTTPD_IPA_CONF = "/etc/httpd/conf.d/ipa.conf" @@ -342,7 +344,7 @@ class BasePathNamespace(object): DB2LDIF = '/usr/sbin/db2ldif' BAK2DB = '/usr/sbin/bak2db' DB2BAK = '/usr/sbin/db2bak' - + KDCPROXY_CONFIG = '/etc/ipa/kdcproxy/kdcproxy.conf' path_namespace = BasePathNamespace |