[Freeipa-devel] [PATCH] 1112 Add service constraint delegation plugin
Rob Crittenden
rcritten at redhat.com
Tue May 19 14:20:06 UTC 2015
Add a plugin to manage service delegations, like the one allowing the
HTTP service to obtain an ldap service ticket on behalf of the user.
This does not include impersonation targets, so one cannot yet limit by
user what tickets can be obtained.
There is also no referential integrity for the memberPrincipal attribute
since it is a string and not a DN. I don't see a way around this that
isn't either clunky or requires a 389-ds plugin, both of which are
overkill in this case IMHO.
If you wonder why all the overrides it's because all of this is stored
in the same container, and membership-like functions are used for a
non-DN attribute (memberPrincipal).
I used Alexander's patch in the ticket as a jumping off point.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-rcrit-1112-Add-plugin-to-manage-service-constraints.patch
Type: text/x-diff
Size: 42219 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150519/64282afc/attachment.bin>
More information about the Freeipa-devel
mailing list