On Sat, 2011-06-18 at 11:18 -0400, Simo Sorce wrote: > On Fri, 2011-06-17 at 18:59 -0400, Dmitri Pal wrote: > > Hi, > > > > Before we went too far with implementing the CS decoupling here is a > > stupid idea I have. > > > > We can proceed with the plans described in tickets: > > https://fedorahosted.org/freeipa/ticket/1250 > > https://fedorahosted.org/freeipa/ticket/1251 > > https://fedorahosted.org/freeipa/ticket/1252 > > > > However what we can do is store the CS instance DM password encrypted in > > the main instance. > > Then the management utility (ticket 1250) would first have to fetch this > > encrypted attribute from the main instance. > > We would be able to define ACIs on it and use the kerberos > > authentication against the main instance instead of prompting user for > > the DM password. > > It is a little bit more work but much better and consistent user > > experience and administrative model. > > > > What do you think? > > This is something we can try I guess. > But in order to do something like that we will have to create a special > extend operation or add a special search control in the password-extop > plugin so that it can perform access control and decrypt the secret > before handing it back. > > Although if we are going this route we could also see if we can use some > temporary token instead that allows access to the CS instance for a few > minutes w/o giving away the actual DM password. > > I will think a bit how hard it would be.
I have created ticket https://fedorahosted.org/freeipa/ticket/1353 to capture this task. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel