On Thu, 2014-03-06 at 09:50 +0100, Petr Spacek wrote: > On 5.3.2014 23:18, Simo Sorce wrote: > > Thanks for reading this far :-) > > I will bikeshed this thread a little bit: > Can we use kadmin protocol instead of the proprietary LDAP control?
You know, you already made the same question last year when I sent the first RFC patchset, the answer is in that thread :) > If I remember correctly one of objections was that we do not allow admin to > read the key but it is not true anymore ... And we have ticket delegation > capabilities so kadmin process can use credentials of requester to contact > LDAP. > > I really don't like ipa-getkeytab :-) It is yet another proprietary tool. I > would like to allow admins experienced with Kerberos to use normal kadmin. Right, but this is not the feedback I was looking for, we already have ipa-getkeytab and now we need an additional feature this patchset provides, I'd like comments on the implmentation. When we will have a way to use kadmin the core of this code will still be relevant as we'll use the same mechanism to control who can do what. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel