On Wed, 09 Dec 2015, Simo Sorce wrote:
From f21c88b9f74453c6d6e16fb17d94efa469eed564 Mon Sep 17 00:00:00 2001
From: Simo Sorce <s...@redhat.com>
Date: Tue, 24 Nov 2015 18:01:52 -0500
Subject: [PATCH] Allow to specify Kerberos authz data type per user

Like for services setting the ipaKrbAuthzData attribute on a user object will
allow us to control exactly what authz data is allowed for that user.
Setting NONE would allow no authz data, while setting MS-PAC would allow only
Active Directory compatible data.

Signed-off-by: Simo Sorce <s...@redhat.com>

Ticket: https://fedorahosted.org/freeipa/ticket/2579
ACK for the code as that is obvious but I have question about
objectclass replication -- we extend objectclass definition to allow
more attributes in MAY. How 389-ds handles replication of such case,
will a new definition override the old one without any problem?

@@ -76,7 +76,7 @@ objectClasses: (2.16.840.1.113730. NAME 'ipaIDrange' 
objectClasses: (2.16.840.1.113730. NAME 'ipaDomainIDRange' SUP 
ipaIDrange STRUCTURAL MAY ( ipaBaseRID $ ipaSecondaryBaseRID ) X-ORIGIN 'IPA 
v3' )
objectClasses: (2.16.840.1.113730. NAME 'ipaTrustedADDomainRange' SUP 
ipaIDrange STRUCTURAL MUST ( ipaBaseRID $ ipaNTTrustedDomainSID ) X-ORIGIN 'IPA 
v3' )
objectClasses: (2.16.840.1.113730. NAME 'ipaUserAuthTypeClass' SUP top 
AUXILIARY DESC 'Class for authentication methods definition' MAY 
ipaUserAuthType X-ORIGIN 'IPA v3')
-objectClasses: (2.16.840.1.113730. NAME 'ipaUser' AUXILIARY MUST ( 
uid ) MAY ( userClass ) X-ORIGIN 'IPA v3' )
+objectClasses: (2.16.840.1.113730. NAME 'ipaUser' AUXILIARY MUST ( 
uid) MAY ( userClass $ ipaKrbAuthzData ) X-ORIGIN 'IPA v3' )
objectClasses: (2.16.840.1.113730. NAME 'ipaPermissionV2' DESC 'IPA 
Permission objectclass, version 2' SUP ipaPermission AUXILIARY MUST ( 
ipaPermBindRuleType $ ipaPermLocation ) MAY ( ipaPermDefaultAttr $ 
ipaPermIncludedAttr $ ipaPermExcludedAttr $ ipaPermRight $ ipaPermTargetFilter 
$ ipaPermTarget $ ipaPermTargetTo $ ipaPermTargetFrom ) X-ORIGIN 'IPA v4.0' )
objectClasses: (2.16.840.1.113730. NAME 'ipaAllowedOperations' SUP top 
AUXILIARY DESC 'Class to apply access controls to arbitrary operations' MAY ( 
ipaAllowedToPerform $ ipaProtectedOperation ) X-ORIGIN 'IPA v4.0')
objectClasses: (2.16.840.1.113730. NAME 'ipaPublicKeyObject' DESC 
'Wrapped public keys' SUP top AUXILIARY MUST ( ipaPublicKey ) X-ORIGIN 'IPA 
v4.1' )

/ Alexander Bokovoy

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to