On 8.3.2013 16:45, Rob Crittenden wrote:
One would need to pass in the object type they are dealing with:
ipa krbflags --type=user --ok-as-delegate=false sbose
ipa krbflags --type=service --ok-as-delegate=true HTTP/ipa.example.com
We *could* avoid type potentially but it would expand our search base and
could slow things down with lots of entries.
Correct me if I'm wrong, but our KDC driver usually does sub-tree search with
base dc=example,dc=com. (Except some special cases.) Or not? :-)
> We could search on the accounts
container using (objectclass=ipaKrbPrincipal) and
(|(uid=CRITERIA)(fqdn=CRITERIA)(krbprincipalname=CRITERIA)) or something like
that. I think I'd prefer specifying a type to avoid the case where someone has
a hostname the same as a uid (we typically allow specifying non-fqdn when
managing hosts).
Would it be possible define some reasonable default value for "--type"? I
don't like typing "--service" all the time ...
--
Petr^2 Spacek
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
