On Tue, Mar 12, 2013 at 08:34:33AM -0400, Simo Sorce wrote: > On Tue, 2013-03-12 at 10:23 +0100, Jan Cholasta wrote: > > On 8.3.2013 14:41, Simo Sorce wrote: > > > On Fri, 2013-03-08 at 10:31 +0100, Jan Cholasta wrote: > > >> Hi, > > >> > > >> On 7.3.2013 21:15, Rob Crittenden wrote: > > >>> Based on a comment from Sumit in ticket > > >>> https://fedorahosted.org/freeipa/ticket/3329 here is a bare outline of > > >>> how one might do it: http://freeipa.org/page/V3/Kerberos_Flags > > >> > > >> Can we have one multi-valued attribute which contains names of flags to > > >> set instead of one attribute per flag? It might make adding new flags > > >> easier. > > > > > > if you are cramming everything in one attribute then we can keep using > > > krbExtraData, no ? > > > > I'm not sure if that can be done from Python. > > > > Can we use krbTicketFlags for this? Support for this attribute is > > already in ipa-kdb and I have checked that setting it to the right value > > results in tickets with OK_AS_DELEGATE set. > > > > > > > >> Would it make sense to add a global configuration option to turn flags > > >> on or off for all services of a given type? > > > > > > We might, but how do you check for the global value ? > > > An additional search for every KDC operation is simply not going to > > > happen. > > > > Can we do that extra search only when the KDC is initialized and when > > configuration is refreshed? I don't think the default values would > > change too often, so this might be OK. > > How do you know when the configuration changes ?
iirc Martin introduced a reload of the configuration if it is older than a certain time with the SID blacklist work. bye, Sumit > > Simo. > > > -- > Simo Sorce * Red Hat, Inc * New York > > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel