On Mon, 30 Nov 2015, Simo Sorce wrote:
On Wed, 2015-11-25 at 09:47 -0500, Simo Sorce wrote:
On Wed, 2015-11-25 at 09:02 -0500, Rob Crittenden wrote:
> Jan Cholasta wrote:
> > On 24.11.2015 22:17, Simo Sorce wrote:
> >> On Tue, 2015-11-24 at 14:57 -0500, Simo Sorce wrote:
> >>> On Tue, 2015-11-24 at 14:42 -0500, Simo Sorce wrote:
> >>>> Since some time we use the getkeytab operation to fetch keytabs on
> >>>> newer
> >>>> clients. According to bug #232 setkeytab can be used to circumvent
> >>>> password quality controls so it needs to be slowly retired.
> >>>>
> >>>> The attached patches implement #5485 in 2 parts.
> >>>>
> >>>> The first introduces the option DisableSetKeytab which globally
> >>>> disables
> >>>> the setkeytab extended operation. This is set to false by default for
> >>>> backwards compatibility.
> >>>>
> >>>> The second introduces an option called DisableUserSetKeytab, which is
> >>>> active by default in new installs (but not in upgraded ones), and only
> >>>> disables the use of setkeytab for ipa suers, but not for
> >>>> hosts/services.
> >>>> This is because user's are the ones that may abuse the interface to
> >>>> escape password policies and users also normally do not acquire
> >>>> keytabs,
> >>>> so it is a safe bet to disable just them by default in new installs.
> >>>>
> >>>> (Testing in progress)
> >>>
> >>> Tested and working as expected.
> >>
> >> I realized that adding options to ipaConfig require to add them in the
> >> UI as well, attached patches add options in API.txt and config.py
> >> Make now complain I should change API Major or Minor, but it is not
> >> clear to me why given this are additional values and no real change or
> >> new function is introduced. What's the recommendation ?
> >
> > When does make complain? It is supposed to complain only when API.txt
> > does not match code.
> >
> > Anyway, we usually bump minor version even for backward compatible
> > changes, see e.g. commit 9549a59.
> >
>
> The point of API.txt (and the heavy client) was to save a round-trip.
> Being able to pass in an invalid option would void that rule hence
> having to update the API when new values are added.
>
> rob

Ok added version change to the second patch (so we bump it only once
given these are basically related changes.

Bump, is this ok ?
This patch is fine but please fix setkeytab use in ipa-sam before
committing this patch.
--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to