[Freeipa-devel] Krb service delegation rules in CLI
Martin Basti
mbasti at redhat.com
Mon Sep 22 15:45:55 UTC 2014
Hello,
Related ticket: https://fedorahosted.org/freeipa/ticket/3644
1) API
The ipaKrb5DelegationACL objectclass requires targets which are stored
in extra objectclass.
A) we allow users to create groups of principals and then associate them
as targets -- user can use same group for multiple delegation ACL
B) users specify only list of target principals (no groups)
B seems better to me.
2)
We should create extra subtree for delegation targets
(cn=user_targets,cn=s4u2proxy) to separate targets and rules.
Any objections?
Martin^2
--
Martin Basti
More information about the Freeipa-devel
mailing list