[Freeipa-devel] [PATCH] 0015-16 Allow multiple krbprincipalnames + test
David Kupka
dkupka at redhat.com
Thu Sep 18 14:44:50 UTC 2014
On 09/18/2014 04:40 PM, Simo Sorce wrote:
> On Thu, 18 Sep 2014 16:28:19 +0200
> Martin Kosek <mkosek at redhat.com> wrote:
>
>> On 09/18/2014 04:06 PM, David Kupka wrote:
>>> On 09/18/2014 03:44 PM, Rob Crittenden wrote:
>>>> David Kupka wrote:
>>>>> https://fedorahosted.org/freeipa/ticket/4421
>>>>
>>>> You are removing an ACI in this patch. It is always possible it is
>>>> no longer needed. Did you test all the client enrollment scenarios?
>>>>
>>>> rob
>>>>
>>>
>>> As far as I'm aware I'm not removing any ACI. I'm modifying ACI so
>>> it is possible to add krbPrincipalName to host even when there is
>>> already one (or more). And adding one ACI to allow writing
>>> krbCanonicalName to host. But I'm still not really familiar with
>>> ACI so please correct me if I'm wrong.
>>>
>>
>> What refers to is probably the update in ACI.txt - the ACI
>> alternative to API.txt. David updated an ACI, not removed it.
>>
>> On that note, what is the reason for this permission change:
>>
>> - 'ipapermtargetfilter': [
>> - '(objectclass=ipahost)',
>> - '(!(krbprincipalname=*))',
>> - ],
>>
>> ?
>
> I think also both the code and the tests are missing to ensure that
> the krbPrincipalName *also* *always* lists the krbCanonicalName.
>
> I think with the current code you can end up in a situation where you
> can have a value in KrbCanonicalName and completely different values in
> KrbPrincipalName.
I didn't realize that there is such requirement although it's logical. I
will fix it, thanks.
>
> Simo.
>
--
David Kupka
More information about the Freeipa-devel
mailing list