On 2015-06-22 16:22, Nathaniel McCallum wrote: > On Mon, 2015-06-22 at 10:10 -0400, Simo Sorce wrote: >> On Mon, 2015-06-22 at 10:01 -0400, Nathaniel McCallum wrote: >>> I'd still prefer a user mapping to managing a keytab. This patch is >>> just way too complex for what it does. >> >> User mapping ? > > EXTERNAL bind
Nathaniel, Simo and I had a discussion on #ipa. Eventually our combined brains came up with a simpler solution, that is good enough for now. The new proposal does neither need a keytab nor a new permission. It even removes necessity for a shim module. The WSGI config file for Apache is moved to a different location (e.g. /etc/ipa/ipa-kdc-proxy.conf). I have to check SELinux rules to find a proper location. An additional ExecStartPre script is hooked into httpd.service instead. The script reads the status of the flag from LDAP. If kdcproxy is enabled, it symlinks the WSGI config file to /etc/httpd/conf.d/ipa-kdc-proxy.conf. Otherwise it removes the symlink. When the file is not a symlink or doesn't point to /etc/ipa/ipa-kdc-proxy.conf, then the script only print a warning. The file is neither replaced nor removed. Because systemd scripts run as root, the ExecStartPre script can use EXTERNAL bind over ldapi to access 389 DS. The root user is mapped to the Directory Manager user, which is allowed to read all entries in the cn=masters,cn=ipa,cn=etc subtree. That way the script does neither need a keytab nor an additional permission. With the ExecStartPre we don't lose any functionality. When the config file is not symlinked, Apache responds with a 404 (just like before). Apache must be reloaded, before a new setting becomes effective (just like before). Christian
signature.asc
Description: OpenPGP digital signature
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
