freeipa/install/share/Makefile.am
Christian Heimes 495da412f1 Provide Kerberos over HTTP (MS-KKDCP)
Add integration of python-kdcproxy into FreeIPA to support the MS
Kerberos KDC proxy protocol (MS-KKDCP), to allow KDC and KPASSWD
client requests over HTTP and HTTPS.

- freeipa-server now depends on python-kdcproxy >= 0.3. All kdcproxy
  dependencies are already satisfied.
- The service's state is configured in cn=KDC,cn=$FQDN,cn=masters,cn=ipa,
  cn=etc,$SUFFIX. It's enabled, when ipaConfigString=kdcProxyEnabled is
  present.
- The installers and update create a new Apache config file
  /etc/ipa/kdcproxy/ipa-kdc-proxy.conf that mounts a WSGI app on
  /KdcProxy. The app is run inside its own WSGI daemon group with
  a different uid and gid than the webui.
- A ExecStartPre script in httpd.service symlinks the config file to
  /etc/httpd/conf.d/ iff ipaConfigString=kdcProxyEnabled is present.
- The httpd.service also sets KDCPROXY_CONFIG=/etc/ipa/kdcproxy.conf,
  so that an existing config is not used. SetEnv from Apache config does
  not work here, because it doesn't set an OS env var.
- python-kdcproxy is configured to *not* use DNS SRV lookups. The
  location of KDC and KPASSWD servers are read from /etc/krb5.conf.
- The state of the service can be modified with two ldif files for
  ipa-ldap-updater. No CLI script is offered yet.

https://www.freeipa.org/page/V4/KDC_Proxy

https://fedorahosted.org/freeipa/ticket/4801

Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
2015-06-24 10:43:58 +02:00

99 lines
2.0 KiB
Makefile

NULL =
SUBDIRS = \
advise \
profiles \
$(NULL)
appdir = $(IPA_DATA_DIR)
app_DATA = \
05rfc2247.ldif \
15rfc2307bis.ldif \
15rfc4876.ldif \
60kerberos.ldif \
60samba.ldif \
60ipaconfig.ldif \
60basev2.ldif \
60basev3.ldif \
60ipadns.ldif \
60ipapk11.ldif \
60certificate-profiles.ldif \
61kerberos-ipav3.ldif \
65ipacertstore.ldif \
65ipasudo.ldif \
70ipaotp.ldif \
70topology.ldif \
71idviews.ldif \
72domainlevels.ldif \
anonymous-vlv.ldif \
bootstrap-template.ldif \
caJarSigningCert.cfg.template \
default-aci.ldif \
default-caacl.ldif \
default-hbac.ldif \
default-smb-group.ldif \
default-trust-view.ldif \
delegation.ldif \
replica-acis.ldif \
ds-nfiles.ldif \
dns.ldif \
dnssec.ldif \
domainlevel.ldif \
kerberos.ldif \
indices.ldif \
bind.named.conf.template \
bind.zone.db.template \
certmap.conf.template \
kdc.conf.template \
kdc_extensions.template \
kdc_req.conf.template \
krb5.conf.template \
krb5.ini.template \
krb.con.template \
krb.js.template \
krbrealm.con.template \
preferences.html.template \
smb.conf.template \
smb.conf.empty \
referint-conf.ldif \
dna.ldif \
master-entry.ldif \
memberof-task.ldif \
memberof-conf.ldif \
nis.uldif \
opendnssec_conf.template \
opendnssec_kasp.template \
unique-attributes.ldif \
schema_compat.uldif \
ldapi.ldif \
wsgi.py \
repoint-managed-entries.ldif \
managed-entries.ldif \
topology-entries.ldif \
user_private_groups.ldif \
host_nis_groups.ldif \
uuid.ldif \
modrdn-krbprinc.ldif \
entryusn.ldif \
root-autobind.ldif \
sudobind.ldif \
automember.ldif \
replica-automember.ldif \
replica-s4u2proxy.ldif \
copy-schema-to-ca.py \
sasl-mapping-fallback.ldif \
schema-update.ldif \
vault.update \
kdcproxy.conf \
kdcproxy-enable.uldif \
kdcproxy-disable.uldif \
$(NULL)
EXTRA_DIST = \
$(app_DATA) \
$(NULL)
MAINTAINERCLEANFILES = \
*~ \
Makefile.in