mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-25 08:21:05 -06:00
495da412f1
Add integration of python-kdcproxy into FreeIPA to support the MS Kerberos KDC proxy protocol (MS-KKDCP), to allow KDC and KPASSWD client requests over HTTP and HTTPS. - freeipa-server now depends on python-kdcproxy >= 0.3. All kdcproxy dependencies are already satisfied. - The service's state is configured in cn=KDC,cn=$FQDN,cn=masters,cn=ipa, cn=etc,$SUFFIX. It's enabled, when ipaConfigString=kdcProxyEnabled is present. - The installers and update create a new Apache config file /etc/ipa/kdcproxy/ipa-kdc-proxy.conf that mounts a WSGI app on /KdcProxy. The app is run inside its own WSGI daemon group with a different uid and gid than the webui. - A ExecStartPre script in httpd.service symlinks the config file to /etc/httpd/conf.d/ iff ipaConfigString=kdcProxyEnabled is present. - The httpd.service also sets KDCPROXY_CONFIG=/etc/ipa/kdcproxy.conf, so that an existing config is not used. SetEnv from Apache config does not work here, because it doesn't set an OS env var. - python-kdcproxy is configured to *not* use DNS SRV lookups. The location of KDC and KPASSWD servers are read from /etc/krb5.conf. - The state of the service can be modified with two ldif files for ipa-ldap-updater. No CLI script is offered yet. https://www.freeipa.org/page/V4/KDC_Proxy https://fedorahosted.org/freeipa/ticket/4801 Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>
99 lines
2.0 KiB
Makefile
99 lines
2.0 KiB
Makefile
NULL =
|
|
|
|
SUBDIRS = \
|
|
advise \
|
|
profiles \
|
|
$(NULL)
|
|
|
|
appdir = $(IPA_DATA_DIR)
|
|
app_DATA = \
|
|
05rfc2247.ldif \
|
|
15rfc2307bis.ldif \
|
|
15rfc4876.ldif \
|
|
60kerberos.ldif \
|
|
60samba.ldif \
|
|
60ipaconfig.ldif \
|
|
60basev2.ldif \
|
|
60basev3.ldif \
|
|
60ipadns.ldif \
|
|
60ipapk11.ldif \
|
|
60certificate-profiles.ldif \
|
|
61kerberos-ipav3.ldif \
|
|
65ipacertstore.ldif \
|
|
65ipasudo.ldif \
|
|
70ipaotp.ldif \
|
|
70topology.ldif \
|
|
71idviews.ldif \
|
|
72domainlevels.ldif \
|
|
anonymous-vlv.ldif \
|
|
bootstrap-template.ldif \
|
|
caJarSigningCert.cfg.template \
|
|
default-aci.ldif \
|
|
default-caacl.ldif \
|
|
default-hbac.ldif \
|
|
default-smb-group.ldif \
|
|
default-trust-view.ldif \
|
|
delegation.ldif \
|
|
replica-acis.ldif \
|
|
ds-nfiles.ldif \
|
|
dns.ldif \
|
|
dnssec.ldif \
|
|
domainlevel.ldif \
|
|
kerberos.ldif \
|
|
indices.ldif \
|
|
bind.named.conf.template \
|
|
bind.zone.db.template \
|
|
certmap.conf.template \
|
|
kdc.conf.template \
|
|
kdc_extensions.template \
|
|
kdc_req.conf.template \
|
|
krb5.conf.template \
|
|
krb5.ini.template \
|
|
krb.con.template \
|
|
krb.js.template \
|
|
krbrealm.con.template \
|
|
preferences.html.template \
|
|
smb.conf.template \
|
|
smb.conf.empty \
|
|
referint-conf.ldif \
|
|
dna.ldif \
|
|
master-entry.ldif \
|
|
memberof-task.ldif \
|
|
memberof-conf.ldif \
|
|
nis.uldif \
|
|
opendnssec_conf.template \
|
|
opendnssec_kasp.template \
|
|
unique-attributes.ldif \
|
|
schema_compat.uldif \
|
|
ldapi.ldif \
|
|
wsgi.py \
|
|
repoint-managed-entries.ldif \
|
|
managed-entries.ldif \
|
|
topology-entries.ldif \
|
|
user_private_groups.ldif \
|
|
host_nis_groups.ldif \
|
|
uuid.ldif \
|
|
modrdn-krbprinc.ldif \
|
|
entryusn.ldif \
|
|
root-autobind.ldif \
|
|
sudobind.ldif \
|
|
automember.ldif \
|
|
replica-automember.ldif \
|
|
replica-s4u2proxy.ldif \
|
|
copy-schema-to-ca.py \
|
|
sasl-mapping-fallback.ldif \
|
|
schema-update.ldif \
|
|
vault.update \
|
|
kdcproxy.conf \
|
|
kdcproxy-enable.uldif \
|
|
kdcproxy-disable.uldif \
|
|
$(NULL)
|
|
|
|
EXTRA_DIST = \
|
|
$(app_DATA) \
|
|
$(NULL)
|
|
|
|
MAINTAINERCLEANFILES = \
|
|
*~ \
|
|
Makefile.in
|