On 05/27/2015 01:33 PM, Christian Heimes wrote: > On 2015-05-27 11:59, Martin Kosek wrote: >> On 05/27/2015 11:53 AM, Alexander Bokovoy wrote: >>> On Wed, 27 May 2015, Martin Kosek wrote: >>>> On 05/26/2015 05:40 PM, Jan Cholasta wrote: >>>>> Dne 22.5.2015 v 12:24 Christian Heimes napsal(a): >>>> ... >>>>>> Finally I haven't figured out the best way to configure the instance. An >>>>>> admin should be able to enable / disable KDC proxy. Should I write a >>>>>> script or a ipa plugin for the job? >>>>> >>>>> A script, ipa-kdcproxy-install, if you want to be consistent with what's >>>>> already there. >>>> >>>> I thought we wanted to install it by default and only switch it on/off via >>>> configuration in LDAP. In that case, no ipa-*-install should be needed. >>> As with any other feature which requires configuration of other >>> components, if it wasn't installed before, you need to make sure you are >>> able to configure it over upgraded instance. Not providing >>> ipa-kdcproxy-install would mean you are not supporting an upgrade case. >> >> I do not disagree with the approach for optional components. But as I wrote >> above, this was supposed to be configured everywhere by default - both on new >> and upgraded installations. >> >> AFAIK, it is mostly just one config for Apache and wsgi script. > > Yes, it is really just one boolean switch (service enabled/disabled). > The state of the switch is read when Apache is started or reloaded. In > the default state KDC Proxy is enabled. When the service is disabled, > the WSGI script replies with 404 instead. All remaining settings like > kdc, kadmin and kpasswd server(s) are read from /etc/krb5.conf. > > I had both the per-replica and the global switch implemented. After I > discussion with Nathaniel and Martin, it's now a global switch only. > Nathaniel argued, that a global switch is easier to implement as well as > sufficient for now. > > The state of the switch is controlled with ipa config-mod: > > ipa config-mod --enable-kdcproxy=TRUE > ipa config-mod --enable-kdcproxy=FALSE > > The schema changes for the new attribute are handled by > ipa-server-upgrade. The Apache config file is created > ipa-server-install, ipa-replica-install and ipa-server-upgrade.
Thanks. This is all we need for 4.2, IMO. Martin -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
