[Freeipa-devel] [RFE] Read and use per-service PAC type
Sumit Bose
sbose at redhat.com
Tue Jan 29 15:52:01 UTC 2013
On Tue, Jan 29, 2013 at 10:13:12AM -0500, Simo Sorce wrote:
> On Tue, 2013-01-29 at 14:10 +0100, Sumit Bose wrote:
> > = Implementation =
> >
> > To avoid issues during upgrade I think all changes done to fix #3263
> > should be preserved, i.e. the NFS service will have a hardcoded
> > default
> > 'NONE'. Otherwise the LDAP objects of the NFS services must be
> > modified
> > during upgrade.
> >
> > In ipadb_sign_authdata() a call like
> > <pre>
> > ret = get_service_pac_type(server->princ, &pac_type);
> > </pre>
> > can be added, where get_service_pac_type() runs a LDAP search with a
> > filter like
> > '(&(objectclass=ipaService)(krbPrincipalName=SERVER_PRINCIPAL))' which
> > looks for the ipakrbauthzdata attribute.
> >
> In ipa-kdb we can keep around data when the principal is retrieved from
> LDAP. So we should keep around data about the pac_type and then retrieve
> it through krb5_entry.
>
> If we are missing the krb5_entry we should ask MIT to change the
> interface to pass it in.
ipadb_e_data is already used for extra data. I will update the page
accordingly.
bye,
Sumit
>
> We should *not* perform additional searches, they are costly.
>
> Simo.
>
> --
> Simo Sorce * Red Hat, Inc * New York
>
More information about the Freeipa-devel
mailing list