On Wed, 14 Dec 2011, Rob Crittenden wrote: > Dmitri Pal wrote: > >On 12/12/2011 07:15 PM, Simo Sorce wrote: > >>On Mon, 2011-12-12 at 15:22 -0500, Rob Crittenden wrote: > >>>This patch adds support for s4u2proxy. This means that the Apache > >>>server > >>>will obtain the ldap service ticket on behalf of the user rather than > >>>the using having to send their TGT. The user's ticket still needs to > >>>be > >>>forwardable, we just don't require it to be forwarded any more. > >> > >>Should we make the patch allow the old behavior by using a switch that > >>revert to forwarding the TGT ? > >> > >>It would be useful during upgrades if some of your servers still need > >>forwarded TGTs, or if you want to use a newer client against an old > >>server while you have the newer stuff under test. > >>(And to test in general). > >> > >>Simo. > >+1 > > > > Updated patch attached. > > rob
> >From 03a2c9a536811437e4847e1c6b11d2ac0eff98f2 Mon Sep 17 00:00:00 2001 > From: Rob Crittenden <rcrit...@redhat.com> > Date: Thu, 8 Dec 2011 14:23:18 -0500 > Subject: [PATCH] Don't set delegation flag in client, we're using S4U2Proxy > now > > A forwardable ticket is still required but we no longer need to send > the TGT to the IPA server. A new flag, --delegation, is available if > the old behavior is required. A minor point: please fix commit message to use proper option name: --delegate > + parser.add_option('--delegate', action='store_true', > + help='Delegate the TGT to the IPA server', > + ) Otherwise ACK. -- / Alexander Bokovoy _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel