[Freeipa-devel] [PATCH] 0204 adtrust: support GSSAPI authentication to LDAP as Active Directory user

Fri Jun 10 10:53:24 UTC 2016

On 06/10/2016 12:43 PM, Alexander Bokovoy wrote:
> On Fri, 10 Jun 2016, Petr Vobornik wrote:
>> On 06/09/2016 09:47 PM, Alexander Bokovoy wrote:
>>> On Thu, 09 Jun 2016, Martin Basti wrote:
>>>>
>>>>
>>>> On 09.06.2016 17:49, Martin Babinsky wrote:
>>>>> On 06/06/2016 12:38 PM, Alexander Bokovoy wrote:
>>>>>> Hi,
>>>>>>
>>>>>> In case an ID override was created for an Active Directory user in
>>>>>> the
>>>>>> default trust view, allow mapping the incoming GSSAPI authenticated
>>>>>> connection to the ID override for this user.
>>>>>>
>>>>>> This allows to self-manage ID override parameters from the CLI, for
>>>>>> example, SSH public keys or certificates. Admins can define what
>>>>>> can be
>>>>>> changed by the users via self-service permissions.
>>>>>>
>>>>>> Part of https://fedorahosted.org/freeipa/ticket/2149
>>>>>>
>>>>>>
>>>>>>
>>>>> ACK
>>>>>
>>>>
>>>> Ticket for this is in 'Tickets Deferred' milestone and should be
>>>> re-triaged before push
>>> The ticket itself covers a far longer story and should stay in the
>>> deferred bucket. However, this specific part of the implementation was
>>> already discussed to be for 4.4. Don't pull the original ticket, as I'm
>>> using it as a tracker.
>>
>> This ticket should be used for that:
>> https://fedorahosted.org/freeipa/ticket/3242
> I'm not sure. We have 2149 which came earlier (almost 5 years ago!) and
> is properly describing what this is about.
> 
> Note that if you manually add ID Override record to the cn=admins group,
> then AD users will indeed be able to manage IPA via CLI.
> 
> 3242 is more UI related. UI part needs to be done as we have explicit
> prevention for AD user logons right now.

Most proper would be to create a new ticket, link to bz 1287194 and
make it a blocker for 2149 and 3242. But I'm fine with updating both
tickets(2149, 3242) with the commit ID while leaving the tickets open.

Up to you.
-- 
Petr Vobornik