[Freeipa-devel] [PATCH 560] Allow to set allowed krb authz data type per user
Alexander Bokovoy
abokovoy at redhat.com
Wed Mar 9 12:40:49 UTC 2016
On Wed, 09 Mar 2016, Martin Basti wrote:
>
>
>On 09.03.2016 13:19, Alexander Bokovoy wrote:
>>On Wed, 09 Dec 2015, Simo Sorce wrote:
>>>From f21c88b9f74453c6d6e16fb17d94efa469eed564 Mon Sep 17 00:00:00 2001
>>>From: Simo Sorce <simo at redhat.com>
>>>Date: Tue, 24 Nov 2015 18:01:52 -0500
>>>Subject: [PATCH] Allow to specify Kerberos authz data type per user
>>>
>>>Like for services setting the ipaKrbAuthzData attribute on a user
>>>object will
>>>allow us to control exactly what authz data is allowed for that user.
>>>Setting NONE would allow no authz data, while setting MS-PAC would
>>>allow only
>>>Active Directory compatible data.
>>>
>>>Signed-off-by: Simo Sorce <simo at redhat.com>
>>>
>>>Ticket: https://fedorahosted.org/freeipa/ticket/2579
>>ACK for the code as that is obvious but I have question about
>>objectclass replication -- we extend objectclass definition to allow
>>more attributes in MAY. How 389-ds handles replication of such case,
>>will a new definition override the old one without any problem?
>if it will be updated by ipa-server-upgrade, it should be done without
>any problem.
I'm interested in the replication part.
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list