On 05/06/2016 02:57 PM, Martin Kosek wrote:
On 04/18/2016 10:31 AM, Martin Kosek wrote:
On 04/08/2016 05:10 PM, Martin Babinsky wrote:
Hi list,

I have put together a draft [1] outlining the effort to reimplement the
handling of Kerberos principals in both backend and frontend layers of FreeIPA
so that we may have multiple aliases per user, host or service and thus
implement stuff like https://fedorahosted.org/freeipa/ticket/3961 and
https://fedorahosted.org/freeipa/ticket/5413 .

Since much of the plumbing was already implemented,[2] the document mainly
describes what the patches do. Some parts required by other use cases may be
missing so please point these out.

I would also be happy if you could correct all factual inacurracies, I did
research on this issue a long time ago and my knowledge turned a bit rusty.

[1] http://www.freeipa.org/page/V4/Kerberos_principal_aliases
[2] https://www.redhat.com/archives/freeipa-devel/2015-October/msg00048.html

Thanks! Looking on the planned API/CLI, besides the typo ("prinicpal"), I also
see that you are using the Kerberos attributes in the raw name
("--krbprincipalname"). This is not consistent with the CLI form when they are
used in other commands:

...
        Str('krbprincipalname?', validate_principal,
            cli_name='principal',
            label=_('Kerberos principal'),
            default_from=lambda uid: '%s@%s' % (uid.lower(), api.env.realm),
            autofill=True,
            flags=['no_update'],
            normalizer=lambda value: normalize_principal(value),
        ),
        DateTime('krbprincipalexpiration?',
            cli_name='principal_expiration',
            label=_('Kerberos principal expiration'),
        ),
...

IMO, it should be rather "--principal" and "--principal-alias".

Martin


Bump.


I have fixed the CLI API a while ago so it should now be more conformant with the rest of the framework. I just forgot to notify the list about the change.

Other parts of the design were also revised but we are not there yet since we have to investigate a discrepancy in handling of kinit using alias without canonicalization between AD and MIT Kerberos.

We have discussed this with Simo (cc'ed) who promised to ask MIT guys about this. We should restart the discussion about the design.

--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to