[Freeipa-devel] [PROPOSAL] Kerberos flags
Petr Spacek
pspacek at redhat.com
Fri Mar 8 17:52:31 UTC 2013
On 8.3.2013 16:45, Rob Crittenden wrote:
> One would need to pass in the object type they are dealing with:
>
> ipa krbflags --type=user --ok-as-delegate=false sbose
> ipa krbflags --type=service --ok-as-delegate=true HTTP/ipa.example.com
>
> We *could* avoid type potentially but it would expand our search base and
> could slow things down with lots of entries.
Correct me if I'm wrong, but our KDC driver usually does sub-tree search with
base dc=example,dc=com. (Except some special cases.) Or not? :-)
> We could search on the accounts
> container using (objectclass=ipaKrbPrincipal) and
> (|(uid=CRITERIA)(fqdn=CRITERIA)(krbprincipalname=CRITERIA)) or something like
> that. I think I'd prefer specifying a type to avoid the case where someone has
> a hostname the same as a uid (we typically allow specifying non-fqdn when
> managing hosts).
Would it be possible define some reasonable default value for "--type"? I
don't like typing "--service" all the time ...
--
Petr^2 Spacek
More information about the Freeipa-devel
mailing list