On 06/10/2016 12:43 PM, Alexander Bokovoy wrote:
> On Fri, 10 Jun 2016, Petr Vobornik wrote:
>> On 06/09/2016 09:47 PM, Alexander Bokovoy wrote:
>>> On Thu, 09 Jun 2016, Martin Basti wrote:
>>>> On 09.06.2016 17:49, Martin Babinsky wrote:
>>>>> On 06/06/2016 12:38 PM, Alexander Bokovoy wrote:
>>>>>> Hi,
>>>>>> In case an ID override was created for an Active Directory user in
>>>>>> the
>>>>>> default trust view, allow mapping the incoming GSSAPI authenticated
>>>>>> connection to the ID override for this user.
>>>>>> This allows to self-manage ID override parameters from the CLI, for
>>>>>> example, SSH public keys or certificates. Admins can define what
>>>>>> can be
>>>>>> changed by the users via self-service permissions.
>>>>>> Part of https://fedorahosted.org/freeipa/ticket/2149
>>>>> ACK
>>>> Ticket for this is in 'Tickets Deferred' milestone and should be
>>>> re-triaged before push
>>> The ticket itself covers a far longer story and should stay in the
>>> deferred bucket. However, this specific part of the implementation was
>>> already discussed to be for 4.4. Don't pull the original ticket, as I'm
>>> using it as a tracker.
>> This ticket should be used for that:
>> https://fedorahosted.org/freeipa/ticket/3242
> I'm not sure. We have 2149 which came earlier (almost 5 years ago!) and
> is properly describing what this is about.
> Note that if you manually add ID Override record to the cn=admins group,
> then AD users will indeed be able to manage IPA via CLI.
> 3242 is more UI related. UI part needs to be done as we have explicit
> prevention for AD user logons right now.

Most proper would be to create a new ticket, link to bz ‚Äč1287194 and
make it a blocker for 2149 and 3242. But I'm fine with updating both
tickets(2149, 3242) with the commit ID while leaving the tickets open.

Up to you.
Petr Vobornik

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to