Karl MacMillan wrote:
What group(s) do we want to limit keytab creation to? Right now it looks hardcoded to just admin.
What we can do is execute a of query on an attribute or entry that only those allowed to create keytabs is allowed to read/search. If it succeeds they can generate a keytab otherwise we thrown an error.
It looks like the realm is always tacked onto the requested name. Should we only do that if it wasn't included? This would probably make life easier for existing kerberos admins.
Finally, it looks like this will request ANY principal. We probably want to limit this to just service principals, right?
Description: S/MIME Cryptographic Signature