[Freeipa-devel] [PATCH] 0204 adtrust: support GSSAPI authentication to LDAP as Active Directory user
Petr Vobornik
pvoborni at redhat.com
Fri Jun 10 11:40:39 UTC 2016
On 06/10/2016 01:09 PM, Alexander Bokovoy wrote:
> On Fri, 10 Jun 2016, Petr Vobornik wrote:
>> On 06/10/2016 12:43 PM, Alexander Bokovoy wrote:
>>> On Fri, 10 Jun 2016, Petr Vobornik wrote:
>>>> On 06/09/2016 09:47 PM, Alexander Bokovoy wrote:
>>>>> On Thu, 09 Jun 2016, Martin Basti wrote:
>>>>>>
>>>>>>
>>>>>> On 09.06.2016 17:49, Martin Babinsky wrote:
>>>>>>> On 06/06/2016 12:38 PM, Alexander Bokovoy wrote:
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> In case an ID override was created for an Active Directory user in
>>>>>>>> the
>>>>>>>> default trust view, allow mapping the incoming GSSAPI authenticated
>>>>>>>> connection to the ID override for this user.
>>>>>>>>
>>>>>>>> This allows to self-manage ID override parameters from the CLI, for
>>>>>>>> example, SSH public keys or certificates. Admins can define what
>>>>>>>> can be
>>>>>>>> changed by the users via self-service permissions.
>>>>>>>>
>>>>>>>> Part of https://fedorahosted.org/freeipa/ticket/2149
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>> ACK
>>>>>>>
>>>>>>
>>>>>> Ticket for this is in 'Tickets Deferred' milestone and should be
>>>>>> re-triaged before push
>>>>> The ticket itself covers a far longer story and should stay in the
>>>>> deferred bucket. However, this specific part of the implementation was
>>>>> already discussed to be for 4.4. Don't pull the original ticket, as
>>>>> I'm
>>>>> using it as a tracker.
>>>>
>>>> This ticket should be used for that:
>>>> https://fedorahosted.org/freeipa/ticket/3242
>>> I'm not sure. We have 2149 which came earlier (almost 5 years ago!) and
>>> is properly describing what this is about.
>>>
>>> Note that if you manually add ID Override record to the cn=admins group,
>>> then AD users will indeed be able to manage IPA via CLI.
>>>
>>> 3242 is more UI related. UI part needs to be done as we have explicit
>>> prevention for AD user logons right now.
>>
>> Most proper would be to create a new ticket, link to bz 1287194 and
>> make it a blocker for 2149 and 3242. But I'm fine with updating both
>> tickets(2149, 3242) with the commit ID while leaving the tickets open.
>>
>> Up to you.
> That's what I did when I chose to put the reference to ticket 2149
> already.
Added
"Part of https://fedorahosted.org/freeipa/ticket/3242"
to commit message. Removed blank lines at the end of update files which
git complained about and pushed to master:
* b506fd178edbf1553ca581c44ac6697f88ead125 adtrust: support GSSAPI
authentication to LDAP as Active Directory user
--
Petr Vobornik
More information about the Freeipa-devel
mailing list