On 05/06/2016 02:57 PM, Martin Kosek wrote:
On 04/18/2016 10:31 AM, Martin Kosek wrote:
On 04/08/2016 05:10 PM, Martin Babinsky wrote:
I have put together a draft  outlining the effort to reimplement the
handling of Kerberos principals in both backend and frontend layers of FreeIPA
so that we may have multiple aliases per user, host or service and thus
implement stuff like https://fedorahosted.org/freeipa/ticket/3961 and
Since much of the plumbing was already implemented, the document mainly
describes what the patches do. Some parts required by other use cases may be
missing so please point these out.
I would also be happy if you could correct all factual inacurracies, I did
research on this issue a long time ago and my knowledge turned a bit rusty.
Thanks! Looking on the planned API/CLI, besides the typo ("prinicpal"), I also
see that you are using the Kerberos attributes in the raw name
("--krbprincipalname"). This is not consistent with the CLI form when they are
used in other commands:
default_from=lambda uid: '%s@%s' % (uid.lower(), api.env.realm),
normalizer=lambda value: normalize_principal(value),
label=_('Kerberos principal expiration'),
IMO, it should be rather "--principal" and "--principal-alias".
I have fixed the CLI API a while ago so it should now be more conformant
with the rest of the framework. I just forgot to notify the list about
Other parts of the design were also revised but we are not there yet
since we have to investigate a discrepancy in handling of kinit using
alias without canonicalization between AD and MIT Kerberos.
We have discussed this with Simo (cc'ed) who promised to ask MIT guys
about this. We should restart the discussion about the design.
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code