[Freeipa-devel] [PATCHES 0069-0077] support for proper Kerberos principal canonicalization

Tue Oct 6 07:51:40 UTC 2015

On 10/06/2015 07:19 AM, David Kupka wrote:
> On 05/10/15 16:12, Simo Sorce wrote:
>> On 05/10/15 09:00, Martin Babinsky wrote:
>>> These patches implement the plumbing required to properly support
>>> canonicalization of Kerberos principals (
>>> https://fedorahosted.org/freeipa/ticket/3864).
>>>
>>> Setting multiple principal aliases on hosts/services is beyond the 
>>> scope
>>> of this patchset and should be done after these patches are pushed.
>>>
>>> I will try to send some tests for the patches later this week.
>>>
>>> Please review the hell out of them.
>>
>> LGTM, I do not see any issue at quick visual inspection.
>> What about the performance regression with the indexes ? Is that bug
>> fixed in 389ds ?
>>
>> Simo.
>>
>>
>
> The issue is still there. Thierry investigated this in 389 DS and IIUC 
> he is not sure if it's bug or completely missing feature. Therefore we 
> still don't know how much time is needed there.
>
Hi,
that is correct.
I can reproduce the problem. Although the matching rule (in my test 
caseIgnoreIA5Match) is found, it has no registered indexing function, so 
the setting (nsMatchingRule) is ignored.
I do not know if the indexing function is missing or there is a bug so 
that the matching rule "forget" to register it.
This feature is documented but I can not find any QA test around it, so 
I do not know yet if it is a regression or if it was not enabled at all.

I do not expect rapid progress on it. How urgent is it ? 7.3 ?
For the moment I can think to only two workarounds:

  * use filtered matching rule (preferred)
  * change the attribute syntax/matching rule, in the schema (I would
    discourage this one because changing the schema is risky)

thanks
thierry
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20151006/f58f5879/attachment.htm>