[Freeipa-devel] [PATCH] s4u2proxy support
Alexander Bokovoy
abokovoy at redhat.com
Wed Dec 14 19:22:50 UTC 2011
On Wed, 14 Dec 2011, Rob Crittenden wrote:
> Dmitri Pal wrote:
> >On 12/12/2011 07:15 PM, Simo Sorce wrote:
> >>On Mon, 2011-12-12 at 15:22 -0500, Rob Crittenden wrote:
> >>>This patch adds support for s4u2proxy. This means that the Apache
> >>>server
> >>>will obtain the ldap service ticket on behalf of the user rather than
> >>>the using having to send their TGT. The user's ticket still needs to
> >>>be
> >>>forwardable, we just don't require it to be forwarded any more.
> >>
> >>Should we make the patch allow the old behavior by using a switch that
> >>revert to forwarding the TGT ?
> >>
> >>It would be useful during upgrades if some of your servers still need
> >>forwarded TGTs, or if you want to use a newer client against an old
> >>server while you have the newer stuff under test.
> >>(And to test in general).
> >>
> >>Simo.
> >+1
> >
>
> Updated patch attached.
>
> rob
> >From 03a2c9a536811437e4847e1c6b11d2ac0eff98f2 Mon Sep 17 00:00:00 2001
> From: Rob Crittenden <rcritten at redhat.com>
> Date: Thu, 8 Dec 2011 14:23:18 -0500
> Subject: [PATCH] Don't set delegation flag in client, we're using S4U2Proxy
> now
>
> A forwardable ticket is still required but we no longer need to send
> the TGT to the IPA server. A new flag, --delegation, is available if
> the old behavior is required.
A minor point: please fix commit message to use proper option name:
--delegate
> + parser.add_option('--delegate', action='store_true',
> + help='Delegate the TGT to the IPA server',
> + )
Otherwise ACK.
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list