On Tue, 2013-03-12 at 17:02 +0100, Jan Cholasta wrote: > On 12.3.2013 16:00, Rob Crittenden wrote: > > Petr Spacek wrote: > >> On 12.3.2013 15:39, Rob Crittenden wrote: > >>> Petr Spacek wrote: > >>>> On 12.3.2013 13:34, Simo Sorce wrote: > >>>>>>> > >We might, but how do you check for the global value ? > >>>>>>> > >An additional search for every KDC operation is simply not > >>>>>>> going to > >>>>>>> > >happen. > >>>>>> > > >>>>>> >Can we do that extra search only when the KDC is initialized and > >>>>>> when > >>>>>> >configuration is refreshed? I don't think the default values would > >>>>>> >change too often, so this might be OK. > >>>>> How do you know when the configuration changes ? > >>>> Persistent search? > >>>> > >>> > >>> Well, this is where we might do well with a 389-ds plugin that > >>> monitors flag > >>> changes so we can catch changes made directly by kadmin.local as well. > >>> This > >>> would be similar to the password plugin in keeping several attributes > >>> in sync. > >> > >> I didn't understand your note about DS plugin. > >> > >> kadmin.local does all changes in LDAP, or not? All changes in LDAP DB > >> are sent via persistent search (if the persistent search was issued with > >> appropriate parameters). > >> > > > > Let me step back and say I know next to nothing about how the KDB > > backend works. > > > > What would be nice is one place to notice changes to these proposed > > flags and the flag bitfield. Whether that is best done in the backend or > > via a 389-ds plugin I don't know. So whatever we do, we need one place > > to notice changes in either the flag(s) or bitfield and keep the values > > in sync. > > Why can't we set the bitfield (krbTicketFlags) directly? (There is an > ACI preventing that, I'm just wondering what is the reason for this.)
If you tell me who 'we' is (as in what user would set it) I can tell you why it is/isn't possible. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel