-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/25/2009 11:40 AM, Sumit Bose wrote: > On Fri, Sep 25, 2009 at 09:40:49AM -0400, Stephen Gallagher wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> On 09/25/2009 09:09 AM, Sumit Bose wrote: >>> Hi, >>> >>> this patch to the sssd-krb5 man page should clarify how the krb5 >>> provider will find the right UPN. >>> >>> This hopefully fixes #204. >>> >>> Please fell free to correct any grammar or spelling mistakes. >>> >>> bye, >>> Sumit >>> >>> >>> ------------------------------------------------------------------------ >>> >>> _______________________________________________ >>> sssd-devel mailing list >>> sssd-devel@lists.fedorahosted.org >>> https://fedorahosted.org/mailman/listinfo/sssd-devel >> >> Just a few minor nitpicks. >> 1) Please rebase atop the current master. >> >> I'd rewrite the following paragraph: >> The Kerberos 5 authentication backend does not contain an identity >> provider. But some useful information can only be delivered by an >> identity provider, e.g. the User's Principle Name (UPN). If the >> identity provider knows the UPN, e.g. this is the case in Active >> Directory or FreeIPA domains, it can be saved in >> <command>sssd's</command> internal cache and used by the Kerberos 5 >> authentication backend. Please refer to the man page of the used >> identity provider to see how to configure this. >> >> as >> >> The Kerberos 5 authentication backend does not contain an identity >> provider and must be paired with one in order to function properly (for >> example, id_provider = ldap). Some information required by the Kerberos >> 5 authentication backend must be provider by the identity provider, such >> as the user's Kerberos Principal Name (UPN). The configuration of the >> identity provider should have an entry to specify the UPN. Please refer >> to the man page for the applicable identity provider for details on how >> to configure this. >> >> >> Under krb5try_simple_upn, please change "an User Principal Name" to "a >> User Principal Name". I'd also recommend that the last sentence read: >> "In this case, SSSD will construct a UPN using the format >> <replaceable>username</replaceable>@<replaceable>krb5_realm</replaceable>" >> > > After some discussion it became clear that it might be easier to drop > the krb5try_simple_upn option at all and make the logic behind a default > fallback if the UPN cannot be found in sysdb. This patch does exacly > that. > > Stephen's comments are included in the updated man page. > > bye, > Sumit > > > ------------------------------------------------------------------------ > > _______________________________________________ > sssd-devel mailing list > sssd-devel@lists.fedorahosted.org > https://fedorahosted.org/mailman/listinfo/sssd-devel
Ack. I will push with one minor typo fixed (my fault, it was in my original review). - -- Stephen Gallagher RHCE 804006346421761 Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkq87EAACgkQeiVVYja6o6NVOgCeM3GJTuf+g8slCvN2S7DI0uD5 Xb4An26GFFpZ+cyTi5bZyffJZ/CjfOQz =1pSo -----END PGP SIGNATURE----- _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel