[Freeipa-devel] [PROPOSAL] Kerberos flags
Simo Sorce
simo at redhat.com
Tue Mar 12 12:34:33 UTC 2013
On Tue, 2013-03-12 at 10:23 +0100, Jan Cholasta wrote:
> On 8.3.2013 14:41, Simo Sorce wrote:
> > On Fri, 2013-03-08 at 10:31 +0100, Jan Cholasta wrote:
> >> Hi,
> >>
> >> On 7.3.2013 21:15, Rob Crittenden wrote:
> >>> Based on a comment from Sumit in ticket
> >>> https://fedorahosted.org/freeipa/ticket/3329 here is a bare outline of
> >>> how one might do it: http://freeipa.org/page/V3/Kerberos_Flags
> >>
> >> Can we have one multi-valued attribute which contains names of flags to
> >> set instead of one attribute per flag? It might make adding new flags
> >> easier.
> >
> > if you are cramming everything in one attribute then we can keep using
> > krbExtraData, no ?
>
> I'm not sure if that can be done from Python.
>
> Can we use krbTicketFlags for this? Support for this attribute is
> already in ipa-kdb and I have checked that setting it to the right value
> results in tickets with OK_AS_DELEGATE set.
>
> >
> >> Would it make sense to add a global configuration option to turn flags
> >> on or off for all services of a given type?
> >
> > We might, but how do you check for the global value ?
> > An additional search for every KDC operation is simply not going to
> > happen.
>
> Can we do that extra search only when the KDC is initialized and when
> configuration is refreshed? I don't think the default values would
> change too often, so this might be OK.
How do you know when the configuration changes ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list