[Freeipa-devel] [PATCH 0093] Enable service authentication indicator management
Alexander Bokovoy
abokovoy at redhat.com
Fri May 27 15:35:05 UTC 2016
On Fri, 27 May 2016, Nathaniel McCallum wrote:
>All core functionality for authentication indicators has already been
>merged. All that is left is the CLI and UI patches. Attached is the CLI
>patch.
>
>One outstanding question that I have is how to future-proof this patch.
>Right now, we want to only permit two possible values: otp and radius.
>So we are using an StrEnum. However, in the future (probably after
>krb5-spake) we may want to have per-token custom indicators. That means
>that this value will need to become a Str.
PKINIT has already support for AI, so it would be good to add pkinit
indicator as well. The problem here is that pkinit indicator is not
fixed and can be defined in the krb5.conf.
>How do I code this so that we can later do a StrEnum => Str transition
>without breaking API?
Maybe just go to Str* right now and make a validation function that
performs the actual check? Once you'd upgrade the validation code would
change but method signature wouldn't.
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list