[Freeipa-devel] [PATCH] Fix password/random logic in host plugin.

Simo Sorce ssorce at redhat.com
Wed Jan 19 20:55:39 UTC 2011


On Wed, 19 Jan 2011 15:22:22 -0500
Dmitri Pal <dpal at redhat.com> wrote:

> I though that enrollment is based only on presence of the keytab.

By keytab I guess you mean the krbPrincipalKey attribute.
The presence of that attribute is unknown to all users except
cn=Directory Manager and uid=kdc, so no user can check for it's
presence as our aci prevent any access for reading (and rightly so).

I think the krbPrincipalNAme attribute was used to check if kerberos
credentials were assigned.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York




More information about the Freeipa-devel mailing list