[Freeipa-devel] [PATCHES] [RFC] New getkeytab operation: why not to use kadmin protocol?
Simo Sorce
simo at redhat.com
Thu Mar 6 13:23:28 UTC 2014
On Thu, 2014-03-06 at 09:50 +0100, Petr Spacek wrote:
> On 5.3.2014 23:18, Simo Sorce wrote:
> > Thanks for reading this far :-)
>
> I will bikeshed this thread a little bit:
> Can we use kadmin protocol instead of the proprietary LDAP control?
You know, you already made the same question last year when I sent the
first RFC patchset, the answer is in that thread :)
> If I remember correctly one of objections was that we do not allow admin to
> read the key but it is not true anymore ... And we have ticket delegation
> capabilities so kadmin process can use credentials of requester to contact LDAP.
>
> I really don't like ipa-getkeytab :-) It is yet another proprietary tool. I
> would like to allow admins experienced with Kerberos to use normal kadmin.
Right, but this is not the feedback I was looking for, we already have
ipa-getkeytab and now we need an additional feature this patchset
provides, I'd like comments on the implmentation.
When we will have a way to use kadmin the core of this code will still
be relevant as we'll use the same mechanism to control who can do what.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list