[Freeipa-devel] [PATCHES] [RFC] New getkeytab operation: why not to use kadmin protocol?
Petr Spacek
pspacek at redhat.com
Thu Mar 6 08:47:59 UTC 2014
On 5.3.2014 23:18, Simo Sorce wrote:
> Thanks for reading this far :-)
I will bikeshed this thread a little bit:
Can we use kadmin protocol instead of the proprietary LDAP control?
If I remember correctly one of objections was that we do not allow admin to
read the key but it is not true anymore ... And we have ticket delegation
capabilities so kadmin process can use credentials of requester to contact LDAP.
I really don't like ipa-getkeytab :-) It is yet another proprietary tool. I
would like to allow admins experienced with Kerberos to use normal kadmin.
--
Petr^2 Spacek
More information about the Freeipa-devel
mailing list