On Tue, Jan 29, 2013 at 10:13:12AM -0500, Simo Sorce wrote: > On Tue, 2013-01-29 at 14:10 +0100, Sumit Bose wrote: > > = Implementation = > > > > To avoid issues during upgrade I think all changes done to fix #3263 > > should be preserved, i.e. the NFS service will have a hardcoded > > default > > 'NONE'. Otherwise the LDAP objects of the NFS services must be > > modified > > during upgrade. > > > > In ipadb_sign_authdata() a call like > > <pre> > > ret = get_service_pac_type(server->princ, &pac_type); > > </pre> > > can be added, where get_service_pac_type() runs a LDAP search with a > > filter like > > '(&(objectclass=ipaService)(krbPrincipalName=SERVER_PRINCIPAL))' which > > looks for the ipakrbauthzdata attribute. > > > In ipa-kdb we can keep around data when the principal is retrieved from > LDAP. So we should keep around data about the pac_type and then retrieve > it through krb5_entry. > > If we are missing the krb5_entry we should ask MIT to change the > interface to pass it in.
ipadb_e_data is already used for extra data. I will update the page accordingly. bye, Sumit > > We should *not* perform additional searches, they are costly. > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel