[Freeipa-devel] [DESIGN] Kerberos principal alias handling
Martin Kosek
mkosek at redhat.com
Mon Apr 18 08:31:23 UTC 2016
On 04/08/2016 05:10 PM, Martin Babinsky wrote:
> Hi list,
>
> I have put together a draft [1] outlining the effort to reimplement the
> handling of Kerberos principals in both backend and frontend layers of FreeIPA
> so that we may have multiple aliases per user, host or service and thus
> implement stuff like https://fedorahosted.org/freeipa/ticket/3961 and
> https://fedorahosted.org/freeipa/ticket/5413 .
>
> Since much of the plumbing was already implemented,[2] the document mainly
> describes what the patches do. Some parts required by other use cases may be
> missing so please point these out.
>
> I would also be happy if you could correct all factual inacurracies, I did
> research on this issue a long time ago and my knowledge turned a bit rusty.
>
> [1] http://www.freeipa.org/page/V4/Kerberos_principal_aliases
> [2] https://www.redhat.com/archives/freeipa-devel/2015-October/msg00048.html
Thanks! Looking on the planned API/CLI, besides the typo ("prinicpal"), I also
see that you are using the Kerberos attributes in the raw name
("--krbprincipalname"). This is not consistent with the CLI form when they are
used in other commands:
...
Str('krbprincipalname?', validate_principal,
cli_name='principal',
label=_('Kerberos principal'),
default_from=lambda uid: '%s@%s' % (uid.lower(), api.env.realm),
autofill=True,
flags=['no_update'],
normalizer=lambda value: normalize_principal(value),
),
DateTime('krbprincipalexpiration?',
cli_name='principal_expiration',
label=_('Kerberos principal expiration'),
),
...
IMO, it should be rather "--principal" and "--principal-alias".
Martin
More information about the Freeipa-devel
mailing list