[Freeipa-devel] [PATCH] 1112 Add service constraint delegation plugin
Rob Crittenden
rcritten at redhat.com
Tue May 19 20:46:13 UTC 2015
Rob Crittenden wrote:
> Add a plugin to manage service delegations, like the one allowing the
> HTTP service to obtain an ldap service ticket on behalf of the user.
>
> This does not include impersonation targets, so one cannot yet limit by
> user what tickets can be obtained.
>
> There is also no referential integrity for the memberPrincipal attribute
> since it is a string and not a DN. I don't see a way around this that
> isn't either clunky or requires a 389-ds plugin, both of which are
> overkill in this case IMHO.
>
> If you wonder why all the overrides it's because all of this is stored
> in the same container, and membership-like functions are used for a
> non-DN attribute (memberPrincipal).
>
> I used Alexander's patch in the ticket as a jumping off point.
Removed a couple of hardcoded domain/realm elements in the tests.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-rcrit-1112-2-Add-plugin-to-manage-service-constraints.patch
Type: text/x-diff
Size: 42219 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150519/aaa1f09a/attachment.bin>
More information about the Freeipa-devel
mailing list