[Freeipa-devel] [PROPOSAL] Kerberos flags

[Sumit Bose]

On Fri, Mar 08, 2013 at 10:31:58AM +0100, Jan Cholasta wrote:
> Hi,
> 
> On 7.3.2013 21:15, Rob Crittenden wrote:
> >Based on a comment from Sumit in ticket
> >https://fedorahosted.org/freeipa/ticket/3329 here is a bare outline of
> >how one might do it: http://freeipa.org/page/V3/Kerberos_Flags
> 
> Can we have one multi-valued attribute which contains names of flags
> to set instead of one attribute per flag? It might make adding new
> flags easier.

Yes, as said I think it makes sense to just add support for all flags to
find a good/scalable design. This way it would be a bit harder for
external applications which access the LDAP server directly to see which
flags are supported, but it will keep the schema much cleaner.

> 
> Would it make sense to add a global configuration option to turn
> flags on or off for all services of a given type?

In general yes, I'm just wondering if this should be handled here or
tracked by a separate ticket/design because different LDAP objects will
be used to manage the defaults. Additionally we might want to think a
bit longer about how global defaults and individual flags will be
merged. I think it is not as easy as with the authorization date (PAC
type) where we said that individual setting replaces the defaults
because iirc the REQUIRES_PRE_AUTH is currently always set. Please note
also that tis is not only about services but hosts and users as well.

bye,
Sumit

> 
> >
> >There is a bit of hand waving going on around how the flags are actually
> >set inside the KDB plugin since I'm not at all familiar with that code
> >but I don't expect it to be too big a deal.
> >
> >I'm not necessarily volunteering to do this work, just trying to keep
> >the ball moving forward.
> >
> >rob
> >
> 
> Honza
> 
> -- 
> Jan Cholasta
> 
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel