[Freeipa-devel] [PATCH 560] Allow to set allowed krb authz data type per user
Alexander Bokovoy
abokovoy at redhat.com
Wed Mar 9 12:19:18 UTC 2016
On Wed, 09 Dec 2015, Simo Sorce wrote:
>From f21c88b9f74453c6d6e16fb17d94efa469eed564 Mon Sep 17 00:00:00 2001
>From: Simo Sorce <simo at redhat.com>
>Date: Tue, 24 Nov 2015 18:01:52 -0500
>Subject: [PATCH] Allow to specify Kerberos authz data type per user
>
>Like for services setting the ipaKrbAuthzData attribute on a user object will
>allow us to control exactly what authz data is allowed for that user.
>Setting NONE would allow no authz data, while setting MS-PAC would allow only
>Active Directory compatible data.
>
>Signed-off-by: Simo Sorce <simo at redhat.com>
>
>Ticket: https://fedorahosted.org/freeipa/ticket/2579
ACK for the code as that is obvious but I have question about
objectclass replication -- we extend objectclass definition to allow
more attributes in MAY. How 389-ds handles replication of such case,
will a new definition override the old one without any problem?
>@@ -76,7 +76,7 @@ objectClasses: (2.16.840.1.113730.3.8.12.15 NAME 'ipaIDrange' ABSTRACT MUST ( cn
> objectClasses: (2.16.840.1.113730.3.8.12.16 NAME 'ipaDomainIDRange' SUP ipaIDrange STRUCTURAL MAY ( ipaBaseRID $ ipaSecondaryBaseRID ) X-ORIGIN 'IPA v3' )
> objectClasses: (2.16.840.1.113730.3.8.12.17 NAME 'ipaTrustedADDomainRange' SUP ipaIDrange STRUCTURAL MUST ( ipaBaseRID $ ipaNTTrustedDomainSID ) X-ORIGIN 'IPA v3' )
> objectClasses: (2.16.840.1.113730.3.8.12.19 NAME 'ipaUserAuthTypeClass' SUP top AUXILIARY DESC 'Class for authentication methods definition' MAY ipaUserAuthType X-ORIGIN 'IPA v3')
>-objectClasses: (2.16.840.1.113730.3.8.12.20 NAME 'ipaUser' AUXILIARY MUST ( uid ) MAY ( userClass ) X-ORIGIN 'IPA v3' )
>+objectClasses: (2.16.840.1.113730.3.8.12.20 NAME 'ipaUser' AUXILIARY MUST ( uid) MAY ( userClass $ ipaKrbAuthzData ) X-ORIGIN 'IPA v3' )
> objectClasses: (2.16.840.1.113730.3.8.12.21 NAME 'ipaPermissionV2' DESC 'IPA Permission objectclass, version 2' SUP ipaPermission AUXILIARY MUST ( ipaPermBindRuleType $ ipaPermLocation ) MAY ( ipaPermDefaultAttr $ ipaPermIncludedAttr $ ipaPermExcludedAttr $ ipaPermRight $ ipaPermTargetFilter $ ipaPermTarget $ ipaPermTargetTo $ ipaPermTargetFrom ) X-ORIGIN 'IPA v4.0' )
> objectClasses: (2.16.840.1.113730.3.8.12.22 NAME 'ipaAllowedOperations' SUP top AUXILIARY DESC 'Class to apply access controls to arbitrary operations' MAY ( ipaAllowedToPerform $ ipaProtectedOperation ) X-ORIGIN 'IPA v4.0')
> objectClasses: (2.16.840.1.113730.3.8.12.24 NAME 'ipaPublicKeyObject' DESC 'Wrapped public keys' SUP top AUXILIARY MUST ( ipaPublicKey ) X-ORIGIN 'IPA v4.1' )
>--
>2.5.0
>
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list