[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[Freeipa-devel] Krb service delegation rules in CLI



Hello,

Related ticket: https://fedorahosted.org/freeipa/ticket/3644


1) API

The ipaKrb5DelegationACL objectclass requires targets which are stored in extra objectclass.

A) we allow users to create groups of principals and then associate them as targets -- user can use same group for multiple delegation ACL

B) users specify only list of target principals (no groups)

B seems better to me.

2)
We should create extra subtree for delegation targets (cn=user_targets,cn=s4u2proxy) to separate targets and rules.

Any objections?

Martin^2

--
Martin Basti


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]