[Freeipa-devel] [PROPOSAL] Kerberos flags
Jan Cholasta
jcholast at redhat.com
Tue Mar 12 09:23:12 UTC 2013
On 8.3.2013 14:41, Simo Sorce wrote:
> On Fri, 2013-03-08 at 10:31 +0100, Jan Cholasta wrote:
>> Hi,
>>
>> On 7.3.2013 21:15, Rob Crittenden wrote:
>>> Based on a comment from Sumit in ticket
>>> https://fedorahosted.org/freeipa/ticket/3329 here is a bare outline of
>>> how one might do it: http://freeipa.org/page/V3/Kerberos_Flags
>>
>> Can we have one multi-valued attribute which contains names of flags to
>> set instead of one attribute per flag? It might make adding new flags
>> easier.
>
> if you are cramming everything in one attribute then we can keep using
> krbExtraData, no ?
I'm not sure if that can be done from Python.
Can we use krbTicketFlags for this? Support for this attribute is
already in ipa-kdb and I have checked that setting it to the right value
results in tickets with OK_AS_DELEGATE set.
>
>> Would it make sense to add a global configuration option to turn flags
>> on or off for all services of a given type?
>
> We might, but how do you check for the global value ?
> An additional search for every KDC operation is simply not going to
> happen.
Can we do that extra search only when the KDC is initialized and when
configuration is refreshed? I don't think the default values would
change too often, so this might be OK.
>
> Simo.
>
Honza
--
Jan Cholasta
More information about the Freeipa-devel
mailing list