On Fri, 2011-06-17 at 18:59 -0400, Dmitri Pal wrote:
> Hi,
> Before we went too far with implementing the CS decoupling here is a
> stupid idea I have.
> We can proceed with the plans described in tickets:
> https://fedorahosted.org/freeipa/ticket/1250
> https://fedorahosted.org/freeipa/ticket/1251
> https://fedorahosted.org/freeipa/ticket/1252
> However what we can do is store the CS instance DM password encrypted in
> the main instance.
> Then the management utility (ticket 1250) would first have to fetch this
> encrypted attribute from the main instance.
> We would be able to define ACIs on it and use the kerberos
> authentication against the main instance instead of prompting user for
> the DM password.
> It is a little bit more work but much better and consistent user
> experience and administrative model. 
> What do you think?

This is something we can try I guess.
But in order to do something like that we will have to create a special
extend operation or add a special search control in the password-extop
plugin so that it can perform access control and decrypt the secret
before handing it back.

Although if we are going this route we could also see if we can use some
temporary token instead that allows access to the CS instance for a few
minutes w/o giving away the actual DM password.

I will think a bit how hard it would be.


Simo Sorce * Red Hat, Inc * New York

Freeipa-devel mailing list

Reply via email to