On 8.3.2013 20:09, Rob Crittenden wrote:
Petr Spacek wrote:
On 8.3.2013 16:45, Rob Crittenden wrote:
One would need to pass in the object type they are dealing with:
ipa krbflags --type=user --ok-as-delegate=false sbose
ipa krbflags --type=service --ok-as-delegate=true HTTP/ipa.example.com
We *could* avoid type potentially but it would expand our search base
and
could slow things down with lots of entries.
Correct me if I'm wrong, but our KDC driver usually does sub-tree search
with base dc=example,dc=com. (Except some special cases.) Or not? :-)
Yes but when we do that search we've got a full principal.
Consider the host plugin. If we are given a non-fully-qualified hostname
we add the IPA domain by default when looking for things.
It is not uncommon for people to name their laptop after themselves.
So if we are told to add a flag to the pspacek principal, which one is
it? The user pspacek or the host pspacek.example.com? Or we could
require that hostnames are fully-qualified, it would just be a
difference from other plugins.
> We could search on the accounts
container using (objectclass=ipaKrbPrincipal) and
(|(uid=CRITERIA)(fqdn=CRITERIA)(krbprincipalname=CRITERIA)) or
something like
that. I think I'd prefer specifying a type to avoid the case where
someone has
a hostname the same as a uid (we typically allow specifying non-fqdn
when
managing hosts).
Would it be possible define some reasonable default value for "--type"?
I don't like typing "--service" all the time ...
Maybe, if we can assume what type of principal is most likely to be
updated. Remember that the host/ principal is stored in a host, not a
service record.
Then again, I don't know how often one is going to be adding flags to
principals, so perhaps a required switch wouldn't be too onerous.
Since the plugin would be used to manage Kerberos specifics, I think it
is fair to require a valid principal as the argument. So it's either
<user> or host/<fqdn> (or <service>/<fqdn>), there's no ambiguity in
that and no --type option is required.
If you insist on using arbitrary names, I think we better do this in
user/host/service plugins, as suggested originally. Setting PAC type is
done in the usual place in service plugin after all, even when it is
Kerberos-specific.
rob
Honza
--
Jan Cholasta
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
