On Tue, 2013-03-12 at 10:23 +0100, Jan Cholasta wrote: > On 8.3.2013 14:41, Simo Sorce wrote: > > On Fri, 2013-03-08 at 10:31 +0100, Jan Cholasta wrote: > >> Hi, > >> > >> On 7.3.2013 21:15, Rob Crittenden wrote: > >>> Based on a comment from Sumit in ticket > >>> https://fedorahosted.org/freeipa/ticket/3329 here is a bare outline of > >>> how one might do it: http://freeipa.org/page/V3/Kerberos_Flags > >> > >> Can we have one multi-valued attribute which contains names of flags to > >> set instead of one attribute per flag? It might make adding new flags > >> easier. > > > > if you are cramming everything in one attribute then we can keep using > > krbExtraData, no ? > > I'm not sure if that can be done from Python. > > Can we use krbTicketFlags for this? Support for this attribute is > already in ipa-kdb and I have checked that setting it to the right value > results in tickets with OK_AS_DELEGATE set. > > > > >> Would it make sense to add a global configuration option to turn flags > >> on or off for all services of a given type? > > > > We might, but how do you check for the global value ? > > An additional search for every KDC operation is simply not going to > > happen. > > Can we do that extra search only when the KDC is initialized and when > configuration is refreshed? I don't think the default values would > change too often, so this might be OK.
How do you know when the configuration changes ? Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel