[Freeipa-devel] [PATCH] Fix password/random logic in host plugin.
Simo Sorce
ssorce at redhat.com
Wed Jan 19 20:55:39 UTC 2011
On Wed, 19 Jan 2011 15:22:22 -0500
Dmitri Pal <dpal at redhat.com> wrote:
> I though that enrollment is based only on presence of the keytab.
By keytab I guess you mean the krbPrincipalKey attribute.
The presence of that attribute is unknown to all users except
cn=Directory Manager and uid=kdc, so no user can check for it's
presence as our aci prevent any access for reading (and rightly so).
I think the krbPrincipalNAme attribute was used to check if kerberos
credentials were assigned.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list