On Sat, 2011-06-18 at 11:18 -0400, Simo Sorce wrote:
> On Fri, 2011-06-17 at 18:59 -0400, Dmitri Pal wrote:
> > Hi,
> > Before we went too far with implementing the CS decoupling here is a
> > stupid idea I have.
> > We can proceed with the plans described in tickets:
> > https://fedorahosted.org/freeipa/ticket/1250
> > https://fedorahosted.org/freeipa/ticket/1251
> > https://fedorahosted.org/freeipa/ticket/1252
> > However what we can do is store the CS instance DM password encrypted in
> > the main instance.
> > Then the management utility (ticket 1250) would first have to fetch this
> > encrypted attribute from the main instance.
> > We would be able to define ACIs on it and use the kerberos
> > authentication against the main instance instead of prompting user for
> > the DM password.
> > It is a little bit more work but much better and consistent user
> > experience and administrative model.
> > What do you think?
> This is something we can try I guess.
> But in order to do something like that we will have to create a special
> extend operation or add a special search control in the password-extop
> plugin so that it can perform access control and decrypt the secret
> before handing it back.
> Although if we are going this route we could also see if we can use some
> temporary token instead that allows access to the CS instance for a few
> minutes w/o giving away the actual DM password.
> I will think a bit how hard it would be.
I have created ticket https://fedorahosted.org/freeipa/ticket/1353 to
capture this task.
Simo Sorce * Red Hat, Inc * New York
Freeipa-devel mailing list