freeipa/install
Christian Heimes 495da412f1 Provide Kerberos over HTTP (MS-KKDCP)
Add integration of python-kdcproxy into FreeIPA to support the MS
Kerberos KDC proxy protocol (MS-KKDCP), to allow KDC and KPASSWD
client requests over HTTP and HTTPS.

- freeipa-server now depends on python-kdcproxy >= 0.3. All kdcproxy
  dependencies are already satisfied.
- The service's state is configured in cn=KDC,cn=$FQDN,cn=masters,cn=ipa,
  cn=etc,$SUFFIX. It's enabled, when ipaConfigString=kdcProxyEnabled is
  present.
- The installers and update create a new Apache config file
  /etc/ipa/kdcproxy/ipa-kdc-proxy.conf that mounts a WSGI app on
  /KdcProxy. The app is run inside its own WSGI daemon group with
  a different uid and gid than the webui.
- A ExecStartPre script in httpd.service symlinks the config file to
  /etc/httpd/conf.d/ iff ipaConfigString=kdcProxyEnabled is present.
- The httpd.service also sets KDCPROXY_CONFIG=/etc/ipa/kdcproxy.conf,
  so that an existing config is not used. SetEnv from Apache config does
  not work here, because it doesn't set an OS env var.
- python-kdcproxy is configured to *not* use DNS SRV lookups. The
  location of KDC and KPASSWD servers are read from /etc/krb5.conf.
- The state of the service can be modified with two ldif files for
  ipa-ldap-updater. No CLI script is offered yet.

https://www.freeipa.org/page/V4/KDC_Proxy

https://fedorahosted.org/freeipa/ticket/4801

Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
2015-06-24 10:43:58 +02:00
..
certmonger Adopted kinit_keytab and kinit_password for kerberos auth 2015-04-20 08:27:35 +00:00
conf Provide Kerberos over HTTP (MS-KKDCP) 2015-06-24 10:43:58 +02:00
ffextension webui: append network.negotiate-auth.trusted-uris 2014-09-11 09:41:51 +02:00
html webui: remove remnants of jquery-ui 2014-06-10 10:23:22 +02:00
migration ipaplatform: Move all filesystem paths to ipaplatform.paths module 2014-06-16 19:48:20 +02:00
po Add a KRA to IPA 2014-08-22 09:59:31 +02:00
restart_scripts Adopted kinit_keytab and kinit_password for kerberos auth 2015-04-20 08:27:35 +00:00
share Provide Kerberos over HTTP (MS-KKDCP) 2015-06-24 10:43:58 +02:00
tools Provide Kerberos over HTTP (MS-KKDCP) 2015-06-24 10:43:58 +02:00
ui webui: adjust user deleter dialog to new api 2015-06-18 15:50:44 +02:00
updates Server Upgrade: create default config for NIS Server plugin 2015-06-18 17:48:36 +02:00
wsgi Remove trivial path constants from modules 2014-11-04 12:57:01 +01:00
configure.ac Import included profiles during install or upgrade 2015-06-04 08:27:33 +00:00
Makefile.am Change group ownership of CRL publish directory 2013-07-16 12:17:40 +02:00
README.schema Add some basic rules for adding new schema 2010-08-27 13:40:37 -04:00

Ground rules on adding new schema

Brand new schema, particularly when written specifically for IPA, should be
added in share/*.ldif. Any new files need to be explicitly loaded in
ipaserver/install/dsinstance.py. These simply get copied directly into
the new instance schema directory.

Existing schema (e.g. in an LDAP draft) may either be added as a separate
ldif in share or as an update in the updates directory. The advantage of
adding the schema as an update is if 389-ds ever adds the schema then the
installation won't fail due to existing schema failing to load during
bootstrap.

If the new schema requires a new container then this should be added
to install/bootstrap-template.ldif.