Hello,

Related ticket: https://fedorahosted.org/freeipa/ticket/3644


1) API

The ipaKrb5DelegationACL objectclass requires targets which are stored in extra objectclass.

A) we allow users to create groups of principals and then associate them as targets -- user can use same group for multiple delegation ACL

B) users specify only list of target principals (no groups)

B seems better to me.

2)
We should create extra subtree for delegation targets (cn=user_targets,cn=s4u2proxy) to separate targets and rules.

Any objections?

Martin^2

--
Martin Basti

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to