[Freeipa-devel] [PATCHES 0069-0077] support for proper Kerberos principal canonicalization
thierry bordaz
tbordaz at redhat.com
Tue Oct 6 07:51:40 UTC 2015
On 10/06/2015 07:19 AM, David Kupka wrote:
> On 05/10/15 16:12, Simo Sorce wrote:
>> On 05/10/15 09:00, Martin Babinsky wrote:
>>> These patches implement the plumbing required to properly support
>>> canonicalization of Kerberos principals (
>>> https://fedorahosted.org/freeipa/ticket/3864).
>>>
>>> Setting multiple principal aliases on hosts/services is beyond the
>>> scope
>>> of this patchset and should be done after these patches are pushed.
>>>
>>> I will try to send some tests for the patches later this week.
>>>
>>> Please review the hell out of them.
>>
>> LGTM, I do not see any issue at quick visual inspection.
>> What about the performance regression with the indexes ? Is that bug
>> fixed in 389ds ?
>>
>> Simo.
>>
>>
>
> The issue is still there. Thierry investigated this in 389 DS and IIUC
> he is not sure if it's bug or completely missing feature. Therefore we
> still don't know how much time is needed there.
>
Hi,
that is correct.
I can reproduce the problem. Although the matching rule (in my test
caseIgnoreIA5Match) is found, it has no registered indexing function, so
the setting (nsMatchingRule) is ignored.
I do not know if the indexing function is missing or there is a bug so
that the matching rule "forget" to register it.
This feature is documented but I can not find any QA test around it, so
I do not know yet if it is a regression or if it was not enabled at all.
I do not expect rapid progress on it. How urgent is it ? 7.3 ?
For the moment I can think to only two workarounds:
* use filtered matching rule (preferred)
* change the attribute syntax/matching rule, in the schema (I would
discourage this one because changing the schema is risky)
thanks
thierry
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20151006/f58f5879/attachment.htm>
More information about the Freeipa-devel
mailing list