[Freeipa-devel] [PATCH 560] Allow to set allowed krb authz data type per user
Martin Basti
mbasti at redhat.com
Wed Mar 9 12:44:03 UTC 2016
On 09.03.2016 13:40, Alexander Bokovoy wrote:
> On Wed, 09 Mar 2016, Martin Basti wrote:
>>
>>
>> On 09.03.2016 13:19, Alexander Bokovoy wrote:
>>> On Wed, 09 Dec 2015, Simo Sorce wrote:
>>>> From f21c88b9f74453c6d6e16fb17d94efa469eed564 Mon Sep 17 00:00:00 2001
>>>> From: Simo Sorce <simo at redhat.com>
>>>> Date: Tue, 24 Nov 2015 18:01:52 -0500
>>>> Subject: [PATCH] Allow to specify Kerberos authz data type per user
>>>>
>>>> Like for services setting the ipaKrbAuthzData attribute on a user
>>>> object will
>>>> allow us to control exactly what authz data is allowed for that user.
>>>> Setting NONE would allow no authz data, while setting MS-PAC would
>>>> allow only
>>>> Active Directory compatible data.
>>>>
>>>> Signed-off-by: Simo Sorce <simo at redhat.com>
>>>>
>>>> Ticket: https://fedorahosted.org/freeipa/ticket/2579
>>> ACK for the code as that is obvious but I have question about
>>> objectclass replication -- we extend objectclass definition to allow
>>> more attributes in MAY. How 389-ds handles replication of such case,
>>> will a new definition override the old one without any problem?
>> if it will be updated by ipa-server-upgrade, it should be done
>> without any problem.
> I'm interested in the replication part.
>
ipa-server-upgrade will cause that schema definition will be replicated.
If you put ldif file just to directory and restart DS, then it will not
be replicated. Replication requires that schema definitions must be
added via ldapadd/mod. Thierry can provide more details.
Martin^2
More information about the Freeipa-devel
mailing list