[Freeipa-devel] [PATCH] s4u2proxy support

Martin Kosek mkosek at redhat.com
Wed Feb 15 16:12:22 UTC 2012 

On Wed, 2012-01-04 at 15:11 -0500, Rob Crittenden wrote:
> Alexander Bokovoy wrote:
> > On Wed, 14 Dec 2011, Rob Crittenden wrote:
> >
> >> Dmitri Pal wrote:
> >>> On 12/12/2011 07:15 PM, Simo Sorce wrote:
> >>>> On Mon, 2011-12-12 at 15:22 -0500, Rob Crittenden wrote:
> >>>>> This patch adds support for s4u2proxy. This means that the Apache
> >>>>> server
> >>>>> will obtain the ldap service ticket on behalf of the user rather than
> >>>>> the using having to send their TGT. The user's ticket still needs to
> >>>>> be
> >>>>> forwardable, we just don't require it to be forwarded any more.
> >>>>
> >>>> Should we make the patch allow the old behavior by using a switch that
> >>>> revert to forwarding the TGT ?
> >>>>
> >>>> It would be useful during upgrades if some of your servers still need
> >>>> forwarded TGTs, or if you want to use a newer client against an old
> >>>> server while you have the newer stuff under test.
> >>>> (And to test in general).
> >>>>
> >>>> Simo.
> >>> +1
> >>>
> >>
> >> Updated patch attached.
> >>
> >> rob
> >
> >> > From 03a2c9a536811437e4847e1c6b11d2ac0eff98f2 Mon Sep 17 00:00:00 2001
> >> From: Rob Crittenden<rcritten at redhat.com>
> >> Date: Thu, 8 Dec 2011 14:23:18 -0500
> >> Subject: [PATCH] Don't set delegation flag in client, we're using S4U2Proxy
> >>   now
> >>
> >> A forwardable ticket is still required but we no longer need to send
> >> the TGT to the IPA server. A new flag, --delegation, is available if
> >> the old behavior is required.
> > A minor point: please fix commit message to use proper option name:
> >
> > --delegate
> >
> >> +        parser.add_option('--delegate', action='store_true',
> >> +            help='Delegate the TGT to the IPA server',
> >> +        )
> >
> > Otherwise ACK.
> >
> 
> Updated both patches. The first (914) to address Alexander's concern. 
> The second to add a new global lock directive. I updated the 
> mod_auth_kerb patch based on feedback from the package maintainer.
> 
> rob

ACK for patch 914-4. Pushed to master, ipa-2-2.

In reality, it was really sent in the thread for patch 947. I just
renamed it and created a rebased version for master branch. Both patches
are attached.

Martin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-rcrit-914-4-nodelegation.patch
Type: text/x-patch
Size: 7993 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20120215/a4a75728/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-rcrit-914-4-master.patch
Type: text/x-patch
Size: 8304 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20120215/a4a75728/attachment-0001.bin>

More information about the Freeipa-devel mailing list