[Freeipa-devel] [PATCH] 1028 service pac types
Martin Kosek
mkosek at redhat.com
Wed Aug 1 14:53:56 UTC 2012
On 07/06/2012 04:18 PM, Rob Crittenden wrote:
> Simo Sorce wrote:
>> On Mon, 2012-06-25 at 17:38 -0400, Rob Crittenden wrote:
>>> Simo Sorce wrote:
>>>> On Mon, 2012-06-25 at 16:23 -0400, Rob Crittenden wrote:
>>>>> Simo Sorce wrote:
>>>>>> ----- Original Message -----
>>>>>>> This patch is more a WIP than anything. I want to see if I'm on the
>>>>>>> right track.
>>>>>>
>>>>>> Hi Rob,
>>>>>> I don't think we need ipaDefaultKrbAuthzData, we can use the same
>>>>>> attribute both in ipaGuiConfig and ipaService, where it is placed makes
>>>>>> the difference.
>>>>>>
>>>>>> You haven't changed ipaService in the base ldif.
>>>>>
>>>>> On new installs the updates are still applied, gets added.
>>>>
>>>> Sure it 'works' but the ldif files are now incomplete and slightly
>>>> misleading, is there a good reason to not update them ?
>>>
>>> It is because it is in a file 60basev2.ldif. This is a v3 schema
>>> addition. It is one confusing element over another.
>>
>> My concern is that if you pick the ipa schema files to install somewhere
>> else you will not have the full schema.
>>
>> If we do not provide the full schema in our installable ldif files then
>> we also need to publish a separate set of documents with the official
>> schema.
>>
>> If that's what we decide to do, then please open a ticket to address
>> publication of this separate set of ldif file, although it will become
>> yet another thing to maintain and make sure it doesn't get
>> de-synchronized with the actual data in the git tree.
>
> Ok, moved some things around.
>
> rob
The patch works fine. I just had to do 2 things before I could ACK&push it.
1) I added the new attribute OID to our IOD assignment list:
https://home.corp.redhat.com/wiki/ldapschemaoids
2) I had to modify the ipaKrbAuthzData update line in 60-trusts.update from:
+add: ipaKrbAuthzData: MS-PAC
to:
+addifnew: ipaKrbAuthzData: MS-PAC
Otherwise it would add the MS-PAC type to the config when user changed it to
just "PAD" type.
I also created a ticket to address a wiring of the new setting also in ipa_kdb
driver:
https://fedorahosted.org/freeipa/ticket/2960
ACK. Pushed to master.
Martin
More information about the Freeipa-devel
mailing list