Petr Spacek wrote:
On 8.3.2013 16:45, Rob Crittenden wrote:
One would need to pass in the object type they are dealing with:

ipa krbflags --type=user --ok-as-delegate=false sbose
ipa krbflags --type=service --ok-as-delegate=true HTTP/ipa.example.com

We *could* avoid type potentially but it would expand our search base and
could slow things down with lots of entries.
Correct me if I'm wrong, but our KDC driver usually does sub-tree search
with base dc=example,dc=com. (Except some special cases.) Or not? :-)

Yes but when we do that search we've got a full principal.

Consider the host plugin. If we are given a non-fully-qualified hostname we add the IPA domain by default when looking for things.

It is not uncommon for people to name their laptop after themselves.

So if we are told to add a flag to the pspacek principal, which one is it? The user pspacek or the host pspacek.example.com? Or we could require that hostnames are fully-qualified, it would just be a difference from other plugins.


 > We could search on the accounts
container using (objectclass=ipaKrbPrincipal) and
(|(uid=CRITERIA)(fqdn=CRITERIA)(krbprincipalname=CRITERIA)) or
something like
that. I think I'd prefer specifying a type to avoid the case where
someone has
a hostname the same as a uid (we typically allow specifying non-fqdn when
managing hosts).
Would it be possible define some reasonable default value for "--type"?
I don't like typing "--service" all the time ...


Maybe, if we can assume what type of principal is most likely to be updated. Remember that the host/ principal is stored in a host, not a service record.

Then again, I don't know how often one is going to be adding flags to principals, so perhaps a required switch wouldn't be too onerous.

rob

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to