On Fri, 2015-06-12 at 17:58 -0400, Adam Young wrote: > On 06/12/2015 03:40 PM, Nathaniel McCallum wrote: > > It doesn't apply again. > > > > On Tue, 2015-06-09 at 15:55 +0200, Christian Heimes wrote: > > > On 2015-05-27 15:16, Christian Heimes wrote: > > > > Hello, > > > > > > > > here is my first patch for FreeIPA. The patch integrates python > > > > -kdcproxy > > > > for MS-KKDCP support (aka Kerberos over HTTPS). > > > > > > > > https://www.freeipa.org/page/V4/KDC_Proxy > > > > > > > > Ticket: https://fedorahosted.org/freeipa/ticket/4801 > > > freeipa-cheimes-0001-2-Provide-Kerberos-over-HTTP-MS-KKDCP.patch > > > doesn't > > > apply anymore. The new patch is based on the current master. > > > > > > Christian > > > > > > -- > > > Manage your subscription for the Freeipa-devel mailing list: > > > https://www.redhat.com/mailman/listinfo/freeipa-devel > > > Contribute to FreeIPA: > > > http://www.freeipa.org/page/Contribute/Code
I'm reviewing Adam's version of Christian's patch. * FreeIPA should require python-kdcproxy >= 0.3 considering there are lots of fixes related to this project. * KDC Proxy path is not configurable. This probably needs to be noted in documentation somewhere when mentioning the default path. * Has OID 2.16.840.1.113730.3.8.3.28 been officially claimed? * There is a new permission: Read IPA Masters KDC Proxy. Is this necessary. Can't the config be world-readable and admin writable? There is no extra security in hiding this attribute. This also completely removes the need for a keytab since anonymous binding can be used. This also, I believe, removes the need for a service. * The creation of the kdcproxy user is trailed by "exit 0". Why? * replicainstall.py has trailing whitespace Nathaniel -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
