[Freeipa-devel] [PATCH] 1112 Add service constraint delegation plugin
Martin Kosek
mkosek at redhat.com
Tue May 26 12:09:03 UTC 2015
On 05/20/2015 06:02 PM, Rob Crittenden wrote:
> Rob Crittenden wrote:
>> Rob Crittenden wrote:
>>> Add a plugin to manage service delegations, like the one allowing the
>>> HTTP service to obtain an ldap service ticket on behalf of the user.
>>>
>>> This does not include impersonation targets, so one cannot yet limit by
>>> user what tickets can be obtained.
>>>
>>> There is also no referential integrity for the memberPrincipal attribute
>>> since it is a string and not a DN. I don't see a way around this that
>>> isn't either clunky or requires a 389-ds plugin, both of which are
>>> overkill in this case IMHO.
>>>
>>> If you wonder why all the overrides it's because all of this is stored
>>> in the same container, and membership-like functions are used for a
>>> non-DN attribute (memberPrincipal).
>>>
>>> I used Alexander's patch in the ticket as a jumping off point.
>>
>> Removed a couple of hardcoded domain/realm elements in the tests.
>
> I must be getting rustly. Forgot to include ACIs. Added now.
Thanks Rob! Martin Basti planned to look at this patch set.
BTW, I did not see any design. Would it be fine with you to prepare some? This
is a new feature, far from straightforward one, so it would be very helpful to
have some metadata and docs on FreeIPA.org design.
Thanks,
Martin
More information about the Freeipa-devel
mailing list