[Freeipa-devel] Krb service delegation rules in CLI
Simo Sorce
simo at redhat.com
Mon Sep 22 21:59:18 UTC 2014
On Mon, 22 Sep 2014 17:45:55 +0200
Martin Basti <mbasti at redhat.com> wrote:
> Hello,
>
> Related ticket: https://fedorahosted.org/freeipa/ticket/3644
>
>
> 1) API
>
> The ipaKrb5DelegationACL objectclass requires targets which are
> stored in extra objectclass.
>
> A) we allow users to create groups of principals and then associate
> them as targets -- user can use same group for multiple delegation ACL
>
> B) users specify only list of target principals (no groups)
>
> B seems better to me.
Why would you want to limit reusability of target groups ?
I think it will be rather common to allow multiple services to be
allowed to target the same group of services (like LDAP servers).
> 2)
> We should create extra subtree for delegation targets
> (cn=user_targets,cn=s4u2proxy) to separate targets and rules.
>
> Any objections?
I am not against a subtree for convenience, it should just be called
cn=targets or cn=delegation-targets though, the targets are never users
so user_targets doesn't make much sense.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list