On Thu, 2014-03-06 at 09:50 +0100, Petr Spacek wrote:
> On 5.3.2014 23:18, Simo Sorce wrote:
> > Thanks for reading this far :-)
> I will bikeshed this thread a little bit:
> Can we use kadmin protocol instead of the proprietary LDAP control?

You know, you already made the same question last year when I sent the
first RFC patchset, the answer is in that thread :)

> If I remember correctly one of objections was that we do not allow admin to 
> read the key but it is not true anymore ... And we have ticket delegation 
> capabilities so kadmin process can use credentials of requester to contact 
> I really don't like ipa-getkeytab :-) It is yet another proprietary tool. I 
> would like to allow admins experienced with Kerberos to use normal kadmin.

Right, but this is not the feedback I was looking for, we already have
ipa-getkeytab and now we need an additional feature this patchset
provides, I'd like comments on the implmentation.

When we will have a way to use kadmin the core of this code will still
be relevant as we'll use the same mechanism to control who can do what.


Simo Sorce * Red Hat, Inc * New York

Freeipa-devel mailing list

Reply via email to