On 04/08/2016 05:10 PM, Martin Babinsky wrote:
> Hi list,
> I have put together a draft [1] outlining the effort to reimplement the
> handling of Kerberos principals in both backend and frontend layers of FreeIPA
> so that we may have multiple aliases per user, host or service and thus
> implement stuff like https://fedorahosted.org/freeipa/ticket/3961 and
> https://fedorahosted.org/freeipa/ticket/5413 .
> Since much of the plumbing was already implemented,[2] the document mainly
> describes what the patches do. Some parts required by other use cases may be
> missing so please point these out.
> I would also be happy if you could correct all factual inacurracies, I did
> research on this issue a long time ago and my knowledge turned a bit rusty.
> [1] http://www.freeipa.org/page/V4/Kerberos_principal_aliases
> [2] https://www.redhat.com/archives/freeipa-devel/2015-October/msg00048.html

Thanks! Looking on the planned API/CLI, besides the typo ("prinicpal"), I also
see that you are using the Kerberos attributes in the raw name
("--krbprincipalname"). This is not consistent with the CLI form when they are
used in other commands:

        Str('krbprincipalname?', validate_principal,
            label=_('Kerberos principal'),
            default_from=lambda uid: '%s@%s' % (uid.lower(), api.env.realm),
            normalizer=lambda value: normalize_principal(value),
            label=_('Kerberos principal expiration'),

IMO, it should be rather "--principal" and "--principal-alias".


Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to