[Freeipa-devel] [PATCH] 0204 adtrust: support GSSAPI authentication to LDAP as Active Directory user
Alexander Bokovoy
abokovoy at redhat.com
Fri Jun 10 11:09:54 UTC 2016
On Fri, 10 Jun 2016, Petr Vobornik wrote:
>On 06/10/2016 12:43 PM, Alexander Bokovoy wrote:
>> On Fri, 10 Jun 2016, Petr Vobornik wrote:
>>> On 06/09/2016 09:47 PM, Alexander Bokovoy wrote:
>>>> On Thu, 09 Jun 2016, Martin Basti wrote:
>>>>>
>>>>>
>>>>> On 09.06.2016 17:49, Martin Babinsky wrote:
>>>>>> On 06/06/2016 12:38 PM, Alexander Bokovoy wrote:
>>>>>>> Hi,
>>>>>>>
>>>>>>> In case an ID override was created for an Active Directory user in
>>>>>>> the
>>>>>>> default trust view, allow mapping the incoming GSSAPI authenticated
>>>>>>> connection to the ID override for this user.
>>>>>>>
>>>>>>> This allows to self-manage ID override parameters from the CLI, for
>>>>>>> example, SSH public keys or certificates. Admins can define what
>>>>>>> can be
>>>>>>> changed by the users via self-service permissions.
>>>>>>>
>>>>>>> Part of https://fedorahosted.org/freeipa/ticket/2149
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> ACK
>>>>>>
>>>>>
>>>>> Ticket for this is in 'Tickets Deferred' milestone and should be
>>>>> re-triaged before push
>>>> The ticket itself covers a far longer story and should stay in the
>>>> deferred bucket. However, this specific part of the implementation was
>>>> already discussed to be for 4.4. Don't pull the original ticket, as I'm
>>>> using it as a tracker.
>>>
>>> This ticket should be used for that:
>>> https://fedorahosted.org/freeipa/ticket/3242
>> I'm not sure. We have 2149 which came earlier (almost 5 years ago!) and
>> is properly describing what this is about.
>>
>> Note that if you manually add ID Override record to the cn=admins group,
>> then AD users will indeed be able to manage IPA via CLI.
>>
>> 3242 is more UI related. UI part needs to be done as we have explicit
>> prevention for AD user logons right now.
>
>Most proper would be to create a new ticket, link to bz 1287194 and
>make it a blocker for 2149 and 3242. But I'm fine with updating both
>tickets(2149, 3242) with the commit ID while leaving the tickets open.
>
>Up to you.
That's what I did when I chose to put the reference to ticket 2149
already.
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list