[Freeipa-devel] [PROPOSAL] Kerberos flags

[Rob Crittenden]

Petr Spacek wrote:
> On 8.3.2013 16:45, Rob Crittenden wrote:
>> One would need to pass in the object type they are dealing with:
>>
>> ipa krbflags --type=user --ok-as-delegate=false sbose
>> ipa krbflags --type=service --ok-as-delegate=true HTTP/ipa.example.com
>>
>> We *could* avoid type potentially but it would expand our search base and
>> could slow things down with lots of entries.
> Correct me if I'm wrong, but our KDC driver usually does sub-tree search
> with base dc=example,dc=com. (Except some special cases.) Or not? :-)

Yes but when we do that search we've got a full principal.

Consider the host plugin. If we are given a non-fully-qualified hostname 
we add the IPA domain by default when looking for things.

It is not uncommon for people to name their laptop after themselves.

So if we are told to add a flag to the pspacek principal, which one is 
it? The user pspacek or the host pspacek.example.com? Or we could 
require that hostnames are fully-qualified, it would just be a 
difference from other plugins.


>  > We could search on the accounts
>> container using (objectclass=ipaKrbPrincipal) and
>> (|(uid=CRITERIA)(fqdn=CRITERIA)(krbprincipalname=CRITERIA)) or
>> something like
>> that. I think I'd prefer specifying a type to avoid the case where
>> someone has
>> a hostname the same as a uid (we typically allow specifying non-fqdn when
>> managing hosts).
> Would it be possible define some reasonable default value for "--type"?
> I don't like typing "--service" all the time ...
>

Maybe, if we can assume what type of principal is most likely to be 
updated. Remember that the host/ principal is stored in a host, not a 
service record.

Then again, I don't know how often one is going to be adding flags to 
principals, so perhaps a required switch wouldn't be too onerous.

rob