[Freeipa-devel] [PATCH] 0015-16 Allow multiple krbprincipalnames + test
Simo Sorce
simo at redhat.com
Thu Sep 18 14:40:27 UTC 2014
On Thu, 18 Sep 2014 16:28:19 +0200
Martin Kosek <mkosek at redhat.com> wrote:
> On 09/18/2014 04:06 PM, David Kupka wrote:
> > On 09/18/2014 03:44 PM, Rob Crittenden wrote:
> >> David Kupka wrote:
> >>> https://fedorahosted.org/freeipa/ticket/4421
> >>
> >> You are removing an ACI in this patch. It is always possible it is
> >> no longer needed. Did you test all the client enrollment scenarios?
> >>
> >> rob
> >>
> >
> > As far as I'm aware I'm not removing any ACI. I'm modifying ACI so
> > it is possible to add krbPrincipalName to host even when there is
> > already one (or more). And adding one ACI to allow writing
> > krbCanonicalName to host. But I'm still not really familiar with
> > ACI so please correct me if I'm wrong.
> >
>
> What refers to is probably the update in ACI.txt - the ACI
> alternative to API.txt. David updated an ACI, not removed it.
>
> On that note, what is the reason for this permission change:
>
> - 'ipapermtargetfilter': [
> - '(objectclass=ipahost)',
> - '(!(krbprincipalname=*))',
> - ],
>
> ?
I think also both the code and the tests are missing to ensure that
the krbPrincipalName *also* *always* lists the krbCanonicalName.
I think with the current code you can end up in a situation where you
can have a value in KrbCanonicalName and completely different values in
KrbPrincipalName.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list