[Freeipa-devel] [PATCH] 1112 Add service constraint delegation plugin
Rob Crittenden
rcritten at redhat.com
Wed May 20 16:02:19 UTC 2015
Rob Crittenden wrote:
> Rob Crittenden wrote:
>> Add a plugin to manage service delegations, like the one allowing the
>> HTTP service to obtain an ldap service ticket on behalf of the user.
>>
>> This does not include impersonation targets, so one cannot yet limit by
>> user what tickets can be obtained.
>>
>> There is also no referential integrity for the memberPrincipal attribute
>> since it is a string and not a DN. I don't see a way around this that
>> isn't either clunky or requires a 389-ds plugin, both of which are
>> overkill in this case IMHO.
>>
>> If you wonder why all the overrides it's because all of this is stored
>> in the same container, and membership-like functions are used for a
>> non-DN attribute (memberPrincipal).
>>
>> I used Alexander's patch in the ticket as a jumping off point.
>
> Removed a couple of hardcoded domain/realm elements in the tests.
I must be getting rustly. Forgot to include ACIs. Added now.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-rcrit-1112-3-Add-plugin-to-manage-service-constraints.patch
Type: text/x-diff
Size: 46351 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150520/f3c802ca/attachment.bin>
More information about the Freeipa-devel
mailing list