Re: [Freeipa-devel] Management of the CS instances.
On Fri, 2011-06-17 at 18:59 -0400, Dmitri Pal wrote: Hi, Before we went too far with implementing the CS decoupling here is a stupid idea I have. We can proceed with the plans described in tickets: https://fedorahosted.org/freeipa/ticket/1250 https://fedorahosted.org/freeipa/ticket/1251 https://fedorahosted.org/freeipa/ticket/1252 However what we can do is store the CS instance DM password encrypted in the main instance. Then the management utility (ticket 1250) would first have to fetch this encrypted attribute from the main instance. We would be able to define ACIs on it and use the kerberos authentication against the main instance instead of prompting user for the DM password. It is a little bit more work but much better and consistent user experience and administrative model. What do you think? This is something we can try I guess. But in order to do something like that we will have to create a special extend operation or add a special search control in the password-extop plugin so that it can perform access control and decrypt the secret before handing it back. Although if we are going this route we could also see if we can use some temporary token instead that allows access to the CS instance for a few minutes w/o giving away the actual DM password. I will think a bit how hard it would be. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Management of the CS instances.
On Sat, 2011-06-18 at 11:18 -0400, Simo Sorce wrote: On Fri, 2011-06-17 at 18:59 -0400, Dmitri Pal wrote: Hi, Before we went too far with implementing the CS decoupling here is a stupid idea I have. We can proceed with the plans described in tickets: https://fedorahosted.org/freeipa/ticket/1250 https://fedorahosted.org/freeipa/ticket/1251 https://fedorahosted.org/freeipa/ticket/1252 However what we can do is store the CS instance DM password encrypted in the main instance. Then the management utility (ticket 1250) would first have to fetch this encrypted attribute from the main instance. We would be able to define ACIs on it and use the kerberos authentication against the main instance instead of prompting user for the DM password. It is a little bit more work but much better and consistent user experience and administrative model. What do you think? This is something we can try I guess. But in order to do something like that we will have to create a special extend operation or add a special search control in the password-extop plugin so that it can perform access control and decrypt the secret before handing it back. Although if we are going this route we could also see if we can use some temporary token instead that allows access to the CS instance for a few minutes w/o giving away the actual DM password. I will think a bit how hard it would be. I have created ticket https://fedorahosted.org/freeipa/ticket/1353 to capture this task. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0243-entity-select-widget-for-manager
From ba69b744edf0175983cae56ef751053391c1f0e0 Mon Sep 17 00:00:00 2001 From: Adam Young ayo...@redhat.com Date: Sat, 18 Jun 2011 21:16:58 -0400 Subject: [PATCH] entity select widget for manager https://fedorahosted.org/freeipa/ticket/1149 --- install/ui/user.js | 11 +-- 1 files changed, 9 insertions(+), 2 deletions(-) diff --git a/install/ui/user.js b/install/ui/user.js index 8a8f9443d41edfb08165440734be3cc9128b64a3..0a13a546d4dd32cb5353d7960a6d91329632bc23 100644 --- a/install/ui/user.js +++ b/install/ui/user.js @@ -78,7 +78,8 @@ IPA.entity_factories.user = function() { { factory: IPA.multivalued_text_widget, name: 'telephonenumber' }, { factory: IPA.multivalued_text_widget, name: 'pager' }, { factory: IPA.multivalued_text_widget, name: 'mobile' }, -{ factory: IPA.multivalued_text_widget, name: 'facsimiletelephonenumber' } +{ factory: IPA.multivalued_text_widget, + name: 'facsimiletelephonenumber' } ] }, { @@ -87,7 +88,13 @@ IPA.entity_factories.user = function() { }, { name: 'employee', -fields: ['ou', 'manager'] +fields: +['ou', + { + factory:IPA.entity_select_widget, + name: 'manager', entity: 'user', field_name: 'uid' + } +] }, { name: 'misc', -- 1.7.5.2 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0244-service-host-entity-select
From 8dba37ff9791455e947c81214c78b0ee0ba2e828 Mon Sep 17 00:00:00 2001 From: Adam Young ayo...@redhat.com Date: Sat, 18 Jun 2011 21:25:15 -0400 Subject: [PATCH] service host entity select Use the entity select widget for add service --- install/ui/service.js |5 +++-- 1 files changed, 3 insertions(+), 2 deletions(-) diff --git a/install/ui/service.js b/install/ui/service.js index 7af80c7eed4f0b95c79abeac4473c7016bbfaca1..0946aa500384f3c69ca760bef7005979e7b5bf2f 100644 --- a/install/ui/service.js +++ b/install/ui/service.js @@ -118,10 +118,11 @@ IPA.service_add_dialog = function(spec) { size: 20, undo: false })). -field(IPA.text_widget({ +field(IPA.entity_select_widget({ name: 'host', +field_name: 'fqdn', +entity: 'host', label: IPA.messages.objects.service.host, -size: 40, undo: false })). field( -- 1.7.5.2 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel