[Freeipa-devel] [PROPOSAL] Kerberos flags
Sumit Bose
sbose at redhat.com
Fri Mar 8 17:53:52 UTC 2013
On Fri, Mar 08, 2013 at 12:28:03PM -0500, Nathaniel McCallum wrote:
> On Fri, 2013-03-08 at 10:27 +0100, Sumit Bose wrote:
> > On Thu, Mar 07, 2013 at 03:15:18PM -0500, Rob Crittenden wrote:
> > > Based on a comment from Sumit in ticket
> > > https://fedorahosted.org/freeipa/ticket/3329 here is a bare outline
> > > of how one might do it: http://freeipa.org/page/V3/Kerberos_Flags
> > >
> > > There is a bit of hand waving going on around how the flags are
> > > actually set inside the KDB plugin since I'm not at all familiar
> > > with that code but I don't expect it to be too big a deal.
> > >
> > > I'm not necessarily volunteering to do this work, just trying to
> > > keep the ball moving forward.
> >
> > Thank you for setting up the design page. I would like to suggest that
> > we should try to include all currently available flags in one run,
> > because:
> > - some flags related to OTP would be needed as well
>
> I'm not aware of any. Are you? I may very well be missing something
> obvious.
iirc you once mentioned that requires_hwauth is used to signal the
client that an OTP is needed. But I haven't checked your recent code if
the flag is added behind the scenes or if it needs to be set for the
principal.
bye,
Sumit
>
> Nathaniel
>
>
More information about the Freeipa-devel
mailing list