[Freeipa-devel] [PATCH 560] Allow to set allowed krb authz data type per user
Jan Cholasta
jcholast at redhat.com
Wed Nov 25 07:09:00 UTC 2015
On 25.11.2015 00:09, Simo Sorce wrote:
> This patch is untested and mostly an RFC.
>
> I think it is all we need to allow to specify authz data types per user
> and by setting the attribute to NONE preventing a user from getting
> MS-PAC data in their ticket.
>
> Alexander you changed quite a bit the code around here so I'd like to
> know if you think the change I made in the KDC will cause any issue with
> the special PACs we generate for master's principals. As far as I can
> tell it shouldn't.
>
> Any opinion is welcome.
Before your change, the server entry was checked for AS requests, now
only the client entry is checked for AS requests. I'm not very familiar
with ipa-kdb, but shouldn't the server entry still be checked as a
fallback when there is no authorization data in the client entry?
The attribute is exposed in the service plugin, shouldn't it be exposed
in the user plugin as well?
Nitpick: don't remove the space character here: "( uid )".
--
Jan Cholasta
More information about the Freeipa-devel
mailing list