[Freeipa-devel] [PROPOSAL] Kerberos flags

Jan Cholasta jcholast at redhat.com
Tue Mar 12 09:13:47 UTC 2013 

On 8.3.2013 20:09, Rob Crittenden wrote:
> Petr Spacek wrote:
>> On 8.3.2013 16:45, Rob Crittenden wrote:
>>> One would need to pass in the object type they are dealing with:
>>>
>>> ipa krbflags --type=user --ok-as-delegate=false sbose
>>> ipa krbflags --type=service --ok-as-delegate=true HTTP/ipa.example.com
>>>
>>> We *could* avoid type potentially but it would expand our search base
>>> and
>>> could slow things down with lots of entries.
>> Correct me if I'm wrong, but our KDC driver usually does sub-tree search
>> with base dc=example,dc=com. (Except some special cases.) Or not? :-)
>
> Yes but when we do that search we've got a full principal.
>
> Consider the host plugin. If we are given a non-fully-qualified hostname
> we add the IPA domain by default when looking for things.
>
> It is not uncommon for people to name their laptop after themselves.
>
> So if we are told to add a flag to the pspacek principal, which one is
> it? The user pspacek or the host pspacek.example.com? Or we could
> require that hostnames are fully-qualified, it would just be a
> difference from other plugins.
>
>
>>  > We could search on the accounts
>>> container using (objectclass=ipaKrbPrincipal) and
>>> (|(uid=CRITERIA)(fqdn=CRITERIA)(krbprincipalname=CRITERIA)) or
>>> something like
>>> that. I think I'd prefer specifying a type to avoid the case where
>>> someone has
>>> a hostname the same as a uid (we typically allow specifying non-fqdn
>>> when
>>> managing hosts).
>> Would it be possible define some reasonable default value for "--type"?
>> I don't like typing "--service" all the time ...
>>
>
> Maybe, if we can assume what type of principal is most likely to be
> updated. Remember that the host/ principal is stored in a host, not a
> service record.
>
> Then again, I don't know how often one is going to be adding flags to
> principals, so perhaps a required switch wouldn't be too onerous.

Since the plugin would be used to manage Kerberos specifics, I think it 
is fair to require a valid principal as the argument. So it's either 
<user> or host/<fqdn> (or <service>/<fqdn>), there's no ambiguity in 
that and no --type option is required.

If you insist on using arbitrary names, I think we better do this in 
user/host/service plugins, as suggested originally. Setting PAC type is 
done in the usual place in service plugin after all, even when it is 
Kerberos-specific.

>
> rob
>

Honza

-- 
Jan Cholasta

More information about the Freeipa-devel mailing list