On 25.11.2015 00:09, Simo Sorce wrote:
This patch is untested and mostly an RFC.

I think it is all we need to allow to specify authz data types per user
and by setting the attribute to NONE preventing a user from getting
MS-PAC data in their ticket.

Alexander you changed quite a bit the code around here so I'd like to
know if you think the change I made in the KDC will cause any issue with
the special PACs we generate for master's principals. As far as I can
tell it shouldn't.

Any opinion is welcome.

Before your change, the server entry was checked for AS requests, now only the client entry is checked for AS requests. I'm not very familiar with ipa-kdb, but shouldn't the server entry still be checked as a fallback when there is no authorization data in the client entry?

The attribute is exposed in the service plugin, shouldn't it be exposed in the user plugin as well?

Nitpick: don't remove the space character here: "( uid )".

--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to