[Freeipa-devel] [PROPOSAL] Kerberos flags
Jan Cholasta
jcholast at redhat.com
Tue Mar 12 17:31:54 UTC 2013
On 12.3.2013 18:01, Simo Sorce wrote:
> On Tue, 2013-03-12 at 17:31 +0100, Jan Cholasta wrote:
>> On 12.3.2013 17:24, Simo Sorce wrote:
>>> On Tue, 2013-03-12 at 17:02 +0100, Jan Cholasta wrote:
>>>> Why can't we set the bitfield (krbTicketFlags) directly? (There is an
>>>> ACI preventing that, I'm just wondering what is the reason for this.)
>>>
>>> If you tell me who 'we' is (as in what user would set it) I can tell you
>>> why it is/isn't possible.
>>
>> Why no IPA user (including admins) can set the attribute?
>
> I guess admins should be allowed to.
>
> Users can't, as ticket flags change the behavior of the principal in
> ways only admins should allowed to. (preauth required or not, AS
> requests disabled or not, etc...)
Thanks. For normal users it's obvious, but it seemed a little bit
strange to disallow admins to set the flags.
So, can the krbTicketFlags attribute be used internally in IPA plugins
to set/unset the flags, given that the ACI is changed to allow admins to
modify the attribute?
Honza
--
Jan Cholasta
More information about the Freeipa-devel
mailing list