[Freeipa-devel] [DESIGN] Kerberos principal alias handling
Milan Kubík
mkubik at redhat.com
Thu May 5 12:58:07 UTC 2016
On 04/08/2016 05:10 PM, Martin Babinsky wrote:
> Hi list,
>
> I have put together a draft [1] outlining the effort to reimplement
> the handling of Kerberos principals in both backend and frontend
> layers of FreeIPA so that we may have multiple aliases per user, host
> or service and thus implement stuff like
> https://fedorahosted.org/freeipa/ticket/3961 and
> https://fedorahosted.org/freeipa/ticket/5413 .
>
> Since much of the plumbing was already implemented,[2] the document
> mainly describes what the patches do. Some parts required by other use
> cases may be missing so please point these out.
>
> I would also be happy if you could correct all factual inacurracies, I
> did research on this issue a long time ago and my knowledge turned a
> bit rusty.
>
> [1] http://www.freeipa.org/page/V4/Kerberos_principal_aliases
> [2]
> https://www.redhat.com/archives/freeipa-devel/2015-October/msg00048.html
>
Hi!
I went through the design document and the related email thread here on
the list and I have few questions:
1. Is there any progress on what's to happen if MODRDN would colide with
an existing alias on a different entry?
2. How does this RFE change the behavior of stage user plugin? Is the
principal (as in the canonical name) assigned at this stage of user
lifetime?
3. Will there be any constraints on what string can be used as an alias?
(The document mentions email address as one use case)
4. Will this RFE have any impact on AD trust (possibility of cross realm
routing, RFC 6806 section 9)
Otherwise the document looks good from my POV as QE.
Regards,
--
Milan Kubik
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20160505/3bda06d6/attachment.htm>
More information about the Freeipa-devel
mailing list