[Freeipa-devel] [PATCH] s4u2proxy support

Rob Crittenden rcritten at redhat.com
Wed Jan 4 20:11:29 UTC 2012 

Alexander Bokovoy wrote:
> On Wed, 14 Dec 2011, Rob Crittenden wrote:
>
>> Dmitri Pal wrote:
>>> On 12/12/2011 07:15 PM, Simo Sorce wrote:
>>>> On Mon, 2011-12-12 at 15:22 -0500, Rob Crittenden wrote:
>>>>> This patch adds support for s4u2proxy. This means that the Apache
>>>>> server
>>>>> will obtain the ldap service ticket on behalf of the user rather than
>>>>> the using having to send their TGT. The user's ticket still needs to
>>>>> be
>>>>> forwardable, we just don't require it to be forwarded any more.
>>>>
>>>> Should we make the patch allow the old behavior by using a switch that
>>>> revert to forwarding the TGT ?
>>>>
>>>> It would be useful during upgrades if some of your servers still need
>>>> forwarded TGTs, or if you want to use a newer client against an old
>>>> server while you have the newer stuff under test.
>>>> (And to test in general).
>>>>
>>>> Simo.
>>> +1
>>>
>>
>> Updated patch attached.
>>
>> rob
>
>> > From 03a2c9a536811437e4847e1c6b11d2ac0eff98f2 Mon Sep 17 00:00:00 2001
>> From: Rob Crittenden<rcritten at redhat.com>
>> Date: Thu, 8 Dec 2011 14:23:18 -0500
>> Subject: [PATCH] Don't set delegation flag in client, we're using S4U2Proxy
>>   now
>>
>> A forwardable ticket is still required but we no longer need to send
>> the TGT to the IPA server. A new flag, --delegation, is available if
>> the old behavior is required.
> A minor point: please fix commit message to use proper option name:
>
> --delegate
>
>> +        parser.add_option('--delegate', action='store_true',
>> +            help='Delegate the TGT to the IPA server',
>> +        )
>
> Otherwise ACK.
>

Updated both patches. The first (914) to address Alexander's concern. 
The second to add a new global lock directive. I updated the 
mod_auth_kerb patch based on feedback from the package maintainer.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-rcrit-914-2-nodelegation.patch
Type: text/x-patch
Size: 6033 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20120104/440b5825/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-rcrit-915-1-s4u2proxy.patch
Type: text/x-patch
Size: 4804 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20120104/440b5825/attachment-0001.bin>

More information about the Freeipa-devel mailing list