[Freeipa-devel] fixing Kerberos principal aliases handling in IPA
Martin Babinsky
mbabinsk at redhat.com
Tue Sep 1 14:39:59 UTC 2015
Hi list,
I own the following ticket https://fedorahosted.org/freeipa/ticket/3864
and I would like to clarify what needs to be done in order to make IPA
to fully support multiple aliases per entry.
So far I have identified these task based on the ticket comments and
discussion with Simo way back in the past:
1.) mark 'ipaKrbPrincipalAlias' attribute as deprecated so that it is
not used in the new code.
2.) fix ACIs that do not permit setting multiple values of
'krbPrincipalName' attribute per entry (see
https://fedorahosted.org/freeipa/ticket/3961)
3.) Modify KDB backend (namely 'ipadb_fetch_principal' and
'ipadb_find_principal' functions) to correctly perform lookup of
krbprincipalname/krbcanonicalname, i.e. search krbprincipalname
case-insensitively and krbcanonicalname case-sensitively, return
krbcanonicalname when canonicalization is requested.
4.) Modify KDB backend and IPA framework to handle creation of both
krbprincipalname and krbcanonicalname. I am not quite sure what cases
should be covered here (I remember that we should create
krbcanonicalname when we add another aliases to krbprincipalname), so it
would be nice if you could comment on this.
5.) write tests which cover all this stuff so that we don't shoot
ourselves in the foot.
I am not very well versed in Kerberos so I might get some of this stuff
wrong. If that's the case please point me to the right direction. Also
please write me some additional stuff which I have fogot and needs to be
done.
--
Martin^3 Babinsky
More information about the Freeipa-devel
mailing list