[Freeipa-devel] [PROPOSAL] Kerberos flags

Tue Mar 12 15:03:49 UTC 2013

On Tue, Mar 12, 2013 at 08:34:33AM -0400, Simo Sorce wrote:
> On Tue, 2013-03-12 at 10:23 +0100, Jan Cholasta wrote:
> > On 8.3.2013 14:41, Simo Sorce wrote:
> > > On Fri, 2013-03-08 at 10:31 +0100, Jan Cholasta wrote:
> > >> Hi,
> > >>
> > >> On 7.3.2013 21:15, Rob Crittenden wrote:
> > >>> Based on a comment from Sumit in ticket
> > >>> https://fedorahosted.org/freeipa/ticket/3329 here is a bare outline of
> > >>> how one might do it: http://freeipa.org/page/V3/Kerberos_Flags
> > >>
> > >> Can we have one multi-valued attribute which contains names of flags to
> > >> set instead of one attribute per flag? It might make adding new flags
> > >> easier.
> > >
> > > if you are cramming everything in one attribute then we can keep using
> > > krbExtraData, no ?
> > 
> > I'm not sure if that can be done from Python.
> > 
> > Can we use krbTicketFlags for this? Support for this attribute is 
> > already in ipa-kdb and I have checked that setting it to the right value 
> > results in tickets with OK_AS_DELEGATE set.
> > 
> > >
> > >> Would it make sense to add a global configuration option to turn flags
> > >> on or off for all services of a given type?
> > >
> > > We might, but how do you check for the global value ?
> > > An additional search for every KDC operation is simply not going to
> > > happen.
> > 
> > Can we do that extra search only when the KDC is initialized and when 
> > configuration is refreshed? I don't think the default values would 
> > change too often, so this might be OK.
> 
> How do you know when the configuration changes ?

iirc Martin introduced a reload of the configuration if it is older
than a certain time with the SID blacklist work.

bye,
Sumit

> 
> Simo.
> 
> 
> -- 
> Simo Sorce * Red Hat, Inc * New York
> 
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel