[Freeipa-devel] [RFE] Read and use per-service PAC type
Simo Sorce
simo at redhat.com
Tue Jan 29 15:13:12 UTC 2013
On Tue, 2013-01-29 at 14:10 +0100, Sumit Bose wrote:
> = Implementation =
>
> To avoid issues during upgrade I think all changes done to fix #3263
> should be preserved, i.e. the NFS service will have a hardcoded
> default
> 'NONE'. Otherwise the LDAP objects of the NFS services must be
> modified
> during upgrade.
>
> In ipadb_sign_authdata() a call like
> <pre>
> ret = get_service_pac_type(server->princ, &pac_type);
> </pre>
> can be added, where get_service_pac_type() runs a LDAP search with a
> filter like
> '(&(objectclass=ipaService)(krbPrincipalName=SERVER_PRINCIPAL))' which
> looks for the ipakrbauthzdata attribute.
>
In ipa-kdb we can keep around data when the principal is retrieved from
LDAP. So we should keep around data about the pac_type and then retrieve
it through krb5_entry.
If we are missing the krb5_entry we should ask MIT to change the
interface to pass it in.
We should *not* perform additional searches, they are costly.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list