[Freeipa-devel] [PATCH 560] Allow to set allowed krb authz data type per user
Martin Basti
mbasti at redhat.com
Wed Mar 9 12:34:51 UTC 2016
On 09.03.2016 13:19, Alexander Bokovoy wrote:
> On Wed, 09 Dec 2015, Simo Sorce wrote:
>> From f21c88b9f74453c6d6e16fb17d94efa469eed564 Mon Sep 17 00:00:00 2001
>> From: Simo Sorce <simo at redhat.com>
>> Date: Tue, 24 Nov 2015 18:01:52 -0500
>> Subject: [PATCH] Allow to specify Kerberos authz data type per user
>>
>> Like for services setting the ipaKrbAuthzData attribute on a user
>> object will
>> allow us to control exactly what authz data is allowed for that user.
>> Setting NONE would allow no authz data, while setting MS-PAC would
>> allow only
>> Active Directory compatible data.
>>
>> Signed-off-by: Simo Sorce <simo at redhat.com>
>>
>> Ticket: https://fedorahosted.org/freeipa/ticket/2579
> ACK for the code as that is obvious but I have question about
> objectclass replication -- we extend objectclass definition to allow
> more attributes in MAY. How 389-ds handles replication of such case,
> will a new definition override the old one without any problem?
if it will be updated by ipa-server-upgrade, it should be done without
any problem.
Martin^2
>
>> @@ -76,7 +76,7 @@ objectClasses: (2.16.840.1.113730.3.8.12.15 NAME
>> 'ipaIDrange' ABSTRACT MUST ( cn
>> objectClasses: (2.16.840.1.113730.3.8.12.16 NAME 'ipaDomainIDRange'
>> SUP ipaIDrange STRUCTURAL MAY ( ipaBaseRID $ ipaSecondaryBaseRID )
>> X-ORIGIN 'IPA v3' )
>> objectClasses: (2.16.840.1.113730.3.8.12.17 NAME
>> 'ipaTrustedADDomainRange' SUP ipaIDrange STRUCTURAL MUST ( ipaBaseRID
>> $ ipaNTTrustedDomainSID ) X-ORIGIN 'IPA v3' )
>> objectClasses: (2.16.840.1.113730.3.8.12.19 NAME
>> 'ipaUserAuthTypeClass' SUP top AUXILIARY DESC 'Class for
>> authentication methods definition' MAY ipaUserAuthType X-ORIGIN 'IPA
>> v3')
>> -objectClasses: (2.16.840.1.113730.3.8.12.20 NAME 'ipaUser' AUXILIARY
>> MUST ( uid ) MAY ( userClass ) X-ORIGIN 'IPA v3' )
>> +objectClasses: (2.16.840.1.113730.3.8.12.20 NAME 'ipaUser' AUXILIARY
>> MUST ( uid) MAY ( userClass $ ipaKrbAuthzData ) X-ORIGIN 'IPA v3' )
>> objectClasses: (2.16.840.1.113730.3.8.12.21 NAME 'ipaPermissionV2'
>> DESC 'IPA Permission objectclass, version 2' SUP ipaPermission
>> AUXILIARY MUST ( ipaPermBindRuleType $ ipaPermLocation ) MAY (
>> ipaPermDefaultAttr $ ipaPermIncludedAttr $ ipaPermExcludedAttr $
>> ipaPermRight $ ipaPermTargetFilter $ ipaPermTarget $ ipaPermTargetTo
>> $ ipaPermTargetFrom ) X-ORIGIN 'IPA v4.0' )
>> objectClasses: (2.16.840.1.113730.3.8.12.22 NAME
>> 'ipaAllowedOperations' SUP top AUXILIARY DESC 'Class to apply access
>> controls to arbitrary operations' MAY ( ipaAllowedToPerform $
>> ipaProtectedOperation ) X-ORIGIN 'IPA v4.0')
>> objectClasses: (2.16.840.1.113730.3.8.12.24 NAME 'ipaPublicKeyObject'
>> DESC 'Wrapped public keys' SUP top AUXILIARY MUST ( ipaPublicKey )
>> X-ORIGIN 'IPA v4.1' )
>> --
>> 2.5.0
>>
>
>
More information about the Freeipa-devel
mailing list