[Freeipa-devel] [PROPOSAL] Kerberos flags
Rob Crittenden
rcritten at redhat.com
Tue Mar 12 12:12:30 UTC 2013
Jan Cholasta wrote:
> On 8.3.2013 20:09, Rob Crittenden wrote:
>> Petr Spacek wrote:
>>> On 8.3.2013 16:45, Rob Crittenden wrote:
>>>> One would need to pass in the object type they are dealing with:
>>>>
>>>> ipa krbflags --type=user --ok-as-delegate=false sbose
>>>> ipa krbflags --type=service --ok-as-delegate=true HTTP/ipa.example.com
>>>>
>>>> We *could* avoid type potentially but it would expand our search base
>>>> and
>>>> could slow things down with lots of entries.
>>> Correct me if I'm wrong, but our KDC driver usually does sub-tree search
>>> with base dc=example,dc=com. (Except some special cases.) Or not? :-)
>>
>> Yes but when we do that search we've got a full principal.
>>
>> Consider the host plugin. If we are given a non-fully-qualified hostname
>> we add the IPA domain by default when looking for things.
>>
>> It is not uncommon for people to name their laptop after themselves.
>>
>> So if we are told to add a flag to the pspacek principal, which one is
>> it? The user pspacek or the host pspacek.example.com? Or we could
>> require that hostnames are fully-qualified, it would just be a
>> difference from other plugins.
>>
>>
>>> > We could search on the accounts
>>>> container using (objectclass=ipaKrbPrincipal) and
>>>> (|(uid=CRITERIA)(fqdn=CRITERIA)(krbprincipalname=CRITERIA)) or
>>>> something like
>>>> that. I think I'd prefer specifying a type to avoid the case where
>>>> someone has
>>>> a hostname the same as a uid (we typically allow specifying non-fqdn
>>>> when
>>>> managing hosts).
>>> Would it be possible define some reasonable default value for "--type"?
>>> I don't like typing "--service" all the time ...
>>>
>>
>> Maybe, if we can assume what type of principal is most likely to be
>> updated. Remember that the host/ principal is stored in a host, not a
>> service record.
>>
>> Then again, I don't know how often one is going to be adding flags to
>> principals, so perhaps a required switch wouldn't be too onerous.
>
> Since the plugin would be used to manage Kerberos specifics, I think it
> is fair to require a valid principal as the argument. So it's either
> <user> or host/<fqdn> (or <service>/<fqdn>), there's no ambiguity in
> that and no --type option is required.
>
> If you insist on using arbitrary names, I think we better do this in
> user/host/service plugins, as suggested originally. Setting PAC type is
> done in the usual place in service plugin after all, even when it is
> Kerberos-specific.
I cam to the same conclusion and updated the proposal yesterday this way.
rob
More information about the Freeipa-devel
mailing list