[Freeipa-devel] [PATCH 560] Allow to set allowed krb authz data type per user
Martin Basti
mbasti at redhat.com
Wed Mar 9 18:02:15 UTC 2016
On 09.03.2016 13:44, Martin Basti wrote:
>
>
> On 09.03.2016 13:40, Alexander Bokovoy wrote:
>> On Wed, 09 Mar 2016, Martin Basti wrote:
>>>
>>>
>>> On 09.03.2016 13:19, Alexander Bokovoy wrote:
>>>> On Wed, 09 Dec 2015, Simo Sorce wrote:
>>>>> From f21c88b9f74453c6d6e16fb17d94efa469eed564 Mon Sep 17 00:00:00
>>>>> 2001
>>>>> From: Simo Sorce <simo at redhat.com>
>>>>> Date: Tue, 24 Nov 2015 18:01:52 -0500
>>>>> Subject: [PATCH] Allow to specify Kerberos authz data type per user
>>>>>
>>>>> Like for services setting the ipaKrbAuthzData attribute on a user
>>>>> object will
>>>>> allow us to control exactly what authz data is allowed for that user.
>>>>> Setting NONE would allow no authz data, while setting MS-PAC would
>>>>> allow only
>>>>> Active Directory compatible data.
>>>>>
>>>>> Signed-off-by: Simo Sorce <simo at redhat.com>
>>>>>
>>>>> Ticket: https://fedorahosted.org/freeipa/ticket/2579
>>>> ACK for the code as that is obvious but I have question about
>>>> objectclass replication -- we extend objectclass definition to allow
>>>> more attributes in MAY. How 389-ds handles replication of such case,
>>>> will a new definition override the old one without any problem?
>>> if it will be updated by ipa-server-upgrade, it should be done
>>> without any problem.
>> I'm interested in the replication part.
>>
> ipa-server-upgrade will cause that schema definition will be replicated.
> If you put ldif file just to directory and restart DS, then it will
> not be replicated. Replication requires that schema definitions must
> be added via ldapadd/mod. Thierry can provide more details.
>
> Martin^2
>
Pushed to:
master: 7a20fc671b07344b0ee8460bef07398cb3ffaf59
ipa-4-3: 6798ee6d0db1aa5d975b82e156790d81960c8a7a
More information about the Freeipa-devel
mailing list