On Fri, Mar 08, 2013 at 10:31:58AM +0100, Jan Cholasta wrote: > Hi, > > On 7.3.2013 21:15, Rob Crittenden wrote: > >Based on a comment from Sumit in ticket > >https://fedorahosted.org/freeipa/ticket/3329 here is a bare outline of > >how one might do it: http://freeipa.org/page/V3/Kerberos_Flags > > Can we have one multi-valued attribute which contains names of flags > to set instead of one attribute per flag? It might make adding new > flags easier.
Yes, as said I think it makes sense to just add support for all flags to find a good/scalable design. This way it would be a bit harder for external applications which access the LDAP server directly to see which flags are supported, but it will keep the schema much cleaner. > > Would it make sense to add a global configuration option to turn > flags on or off for all services of a given type? In general yes, I'm just wondering if this should be handled here or tracked by a separate ticket/design because different LDAP objects will be used to manage the defaults. Additionally we might want to think a bit longer about how global defaults and individual flags will be merged. I think it is not as easy as with the authorization date (PAC type) where we said that individual setting replaces the defaults because iirc the REQUIRES_PRE_AUTH is currently always set. Please note also that tis is not only about services but hosts and users as well. bye, Sumit > > > > >There is a bit of hand waving going on around how the flags are actually > >set inside the KDB plugin since I'm not at all familiar with that code > >but I don't expect it to be too big a deal. > > > >I'm not necessarily volunteering to do this work, just trying to keep > >the ball moving forward. > > > >rob > > > > Honza > > -- > Jan Cholasta > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel