[Freeipa-devel] ipadb.so

Dmitri Pal dpal at redhat.com
Tue Sep 10 14:58:26 UTC 2013 

On 09/10/2013 01:19 AM, Mahmoud wrote:
> Hello,
>
> Thank you for your response.
> When a user get tgt ticket, he can get service tickets without typing
> password. I like to have several level of users. As high level users
> have more access to resources, I want to grant a ticket with less
> validation time. In other word, I want to have several ticket life
> time due to user levels.

If you use IPA then you can use default policy to set the default value.
The attribute you care is: krbMaxTicketLife
You can use the realm entry to set the default policy for the majority
of principals

   dn: cn=EXAMPLE.COM,cn=kerberos,dc=gsslab,dc=rdu,dc=redhat,dc=com
   cn: EXAMPLE.COM
   objectClass: top
   objectClass: krbrealmcontainer
   objectClass: krbticketpolicyaux
   krbSubTrees: dc=gsslab,dc=rdu,dc=redhat,dc=com
   krbSearchScope: 2
   krbSupportedEncSaltTypes: aes256-cts:normal
   krbSupportedEncSaltTypes: aes128-cts:normal
   krbSupportedEncSaltTypes: des3-hmac-sha1:normal
   krbSupportedEncSaltTypes: arcfour-hmac:normal
   krbSupportedEncSaltTypes: des-hmac-sha1:normal
   krbSupportedEncSaltTypes: des-cbc-md5:normal
   krbSupportedEncSaltTypes: des-cbc-crc:normal
   krbSupportedEncSaltTypes: des-cbc-crc:v4
   krbSupportedEncSaltTypes: des-cbc-crc:afs3
   krbDefaultEncSaltTypes: aes256-cts:normal
   krbDefaultEncSaltTypes: aes128-cts:normal
   krbDefaultEncSaltTypes: des3-hmac-sha1:normal
   krbDefaultEncSaltTypes: arcfour-hmac:normal
   krbDefaultEncSaltTypes: des-hmac-sha1:normal
   krbDefaultEncSaltTypes: des-cbc-md5:normal
   krbMKey:: GFFFYTUYFUYFHJJJHGJGJHGJHGJ


Set krbMaxTicketLife to value in seconds.

Then on per principal you can set it to a specific value you need based on the type of the user.
There is no need to recompile any code.

You can also look at the password policies feature in IPA. We added ability to define a policy per group. If you want to manage krbMaxTicketLife per group you might do a similar thing.
Let me know if you are interested in contributing this feature to IPA.   

Thanks
Dmitri


>
>
> On Tue, Sep 10, 2013 at 5:24 AM, Dmitri Pal <dpal at redhat.com
> <mailto:dpal at redhat.com>> wrote:
>
>     On 09/09/2013 12:49 PM, Mahmoud wrote:
>>     Hello Mr. Dmitri Pal
>>
>>     Thank you very much for your help.
>>
>>     I tried to change source code to have more option. It was
>>     difficult for me to understand FreeIPA source code. Hence, I
>>     decided to change Kerberos source code. I want to add more
>>     features to Kerberos. For example, I like to have two (or
>>     several) types of ticket expiration.
>
>     What do you mean by several types of ticket expiration?
>     Can you please give an example?
>
>
>>
>>     Thanks
>>     Best regards
>>
>>
>>     On Mon, Sep 9, 2013 at 8:13 PM, Dmitri Pal <dpal at redhat.com
>>     <mailto:dpal at redhat.com>> wrote:
>>
>>         On 09/09/2013 10:55 AM, Mahmoud wrote:
>>>         Hello,
>>>
>>>         Thank you very much for your time and attention.
>>>
>>>         I changed client side code (kinit.c) but it requires to
>>>         change all clients. Now, I decided to change server side code.
>>
>>         It seems that you should try to contribute code upstream if
>>         you want to end up with any kind of support of your
>>         enhancements, otherwise you would have to maintain your own
>>         version.
>>
>>
>>>         I thought it may be better choice. Should I change policy.c
>>>         file to change ticket policies?
>>
>>         What policies do you want to change and why? You might have
>>         described your intent on some other thread in some other list
>>         but not here.
>>
>>
>>>         It does not require recompiling krb5kdc?
>>
>>         I suspect it does...
>>
>>
>>>         I install FreeIPA on Fedora 18, When I execute klist -V
>>>         command, hence get following result:
>>>         Kerberos 5 version 1.10.3
>>>
>>         Fedora 19 has 1.11
>>
>>         IMO the best would be to have a details explanation of what
>>         you are trying to accomplish.
>>         This way we would be able to help you with the right approach.
>>         But it seems that building custom code might not be best option.
>>
>>         Thanks
>>         Dmitri
>>
>>
>>>         Best regards.
>>>
>>>         On Mon, Sep 9, 2013 at 6:00 PM, Simo Sorce <simo at redhat.com
>>>         <mailto:simo at redhat.com>> wrote:
>>>
>>>             On Mon, 2013-09-09 at 08:07 +0430, Mahmoud wrote:
>>>             > Hello Simo
>>>             >
>>>             >
>>>             > The previous problem occurred due to installing
>>>             krb5-1.11.3. I install
>>>             > krb5-1.10.6 and copy ipadb.so in appropriate
>>>             directory, hence the
>>>             > problem has been solved. Is it all right?
>>>
>>>
>>>             No it is not, we require 1.11.3 for OTP support in the
>>>             latest FreeIPA.
>>>
>>>             Seriously, chaingin the KDC is the last thing you want
>>>             to do to solve
>>>             your problem.
>>>
>>>             Have you looked into creating custom ticket policies for
>>>             your users ?
>>>
>>>             Why do you need to change the KDC to do that ?
>>>
>>>             Simo.
>>>             >
>>>             > Thank you.
>>>             >
>>>             > Best regards.
>>>             >
>>>             >
>>>             >
>>>             > On Mon, Sep 9, 2013 at 7:47 AM, Luke Howard
>>>             <lukeh at padl.com <mailto:lukeh at padl.com>> wrote:
>>>             >
>>>             >         On 09/09/2013, at 1:08 PM, Mahmoud
>>>             <gh.mdgh at gmail.com <mailto:gh.mdgh at gmail.com>> wrote:
>>>             >
>>>             >         > I thought FreeIpa uses krb5-1.10.3, but I
>>>             use klist -V get
>>>             >         following result:
>>>             >         > Kerberos 5 version 1.10.3
>>>             >
>>>             >
>>>             >         Aren't these the same thing?
>>>             >
>>>             >         -- Luke
>>>             >
>>>             >
>>>
>>>
>>>             --
>>>             Simo Sorce * Red Hat, Inc * New York
>>>
>>>
>>>
>>>
>>>         _______________________________________________
>>>         Freeipa-devel mailing list
>>>         Freeipa-devel at redhat.com <mailto:Freeipa-devel at redhat.com>
>>>         https://www.redhat.com/mailman/listinfo/freeipa-devel
>>
>>
>>         -- 
>>         Thank you,
>>         Dmitri Pal
>>
>>         Sr. Engineering Manager for IdM portfolio
>>         Red Hat Inc.
>>
>>
>>         -------------------------------
>>         Looking to carve out IT costs?
>>         www.redhat.com/carveoutcosts/ <http://www.redhat.com/carveoutcosts/>
>>
>>
>>
>>         _______________________________________________
>>         Freeipa-devel mailing list
>>         Freeipa-devel at redhat.com <mailto:Freeipa-devel at redhat.com>
>>         https://www.redhat.com/mailman/listinfo/freeipa-devel
>>
>>
>
>
>     -- 
>     Thank you,
>     Dmitri Pal
>
>     Sr. Engineering Manager for IdM portfolio
>     Red Hat Inc.
>
>
>     -------------------------------
>     Looking to carve out IT costs?
>     www.redhat.com/carveoutcosts/ <http://www.redhat.com/carveoutcosts/>
>
>
>


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130910/72cd33a0/attachment.htm>

More information about the Freeipa-devel mailing list