[Freeipa-devel] [DESIGN] Kerberos principal alias handling
Martin Kosek
mkosek at redhat.com
Fri May 6 12:57:41 UTC 2016
On 04/18/2016 10:31 AM, Martin Kosek wrote:
> On 04/08/2016 05:10 PM, Martin Babinsky wrote:
>> Hi list,
>>
>> I have put together a draft [1] outlining the effort to reimplement the
>> handling of Kerberos principals in both backend and frontend layers of FreeIPA
>> so that we may have multiple aliases per user, host or service and thus
>> implement stuff like https://fedorahosted.org/freeipa/ticket/3961 and
>> https://fedorahosted.org/freeipa/ticket/5413 .
>>
>> Since much of the plumbing was already implemented,[2] the document mainly
>> describes what the patches do. Some parts required by other use cases may be
>> missing so please point these out.
>>
>> I would also be happy if you could correct all factual inacurracies, I did
>> research on this issue a long time ago and my knowledge turned a bit rusty.
>>
>> [1] http://www.freeipa.org/page/V4/Kerberos_principal_aliases
>> [2] https://www.redhat.com/archives/freeipa-devel/2015-October/msg00048.html
>
> Thanks! Looking on the planned API/CLI, besides the typo ("prinicpal"), I also
> see that you are using the Kerberos attributes in the raw name
> ("--krbprincipalname"). This is not consistent with the CLI form when they are
> used in other commands:
>
> ...
> Str('krbprincipalname?', validate_principal,
> cli_name='principal',
> label=_('Kerberos principal'),
> default_from=lambda uid: '%s@%s' % (uid.lower(), api.env.realm),
> autofill=True,
> flags=['no_update'],
> normalizer=lambda value: normalize_principal(value),
> ),
> DateTime('krbprincipalexpiration?',
> cli_name='principal_expiration',
> label=_('Kerberos principal expiration'),
> ),
> ...
>
> IMO, it should be rather "--principal" and "--principal-alias".
>
> Martin
>
Bump.
More information about the Freeipa-devel
mailing list