Re: [Freeipa-devel] [PATCHES] [RFC] New getkeytab operation: why not to use kadmin protocol?
On 5.3.2014 23:18, Simo Sorce wrote: Thanks for reading this far :-) I will bikeshed this thread a little bit: Can we use kadmin protocol instead of the proprietary LDAP control? If I remember correctly one of objections was that we do not allow admin to read the key but it is not true anymore ... And we have ticket delegation capabilities so kadmin process can use credentials of requester to contact LDAP. I really don't like ipa-getkeytab :-) It is yet another proprietary tool. I would like to allow admins experienced with Kerberos to use normal kadmin. -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] [RFC] New getkeytab operation: why not to use kadmin protocol?
On 5.3.2014 23:18, Simo Sorce wrote: Thanks for reading this far :-) I will bikeshed this thread a little bit: Can we use kadmin protocol instead of the proprietary LDAP control? If I remember correctly one of objections was that we do not allow admin to read the key but it is not true anymore ... And we have ticket delegation capabilities so kadmin process can use credentials of requester to contact LDAP. I really don't like ipa-getkeytab :-) It is yet another proprietary tool. I would like to allow admins experienced with Kerberos to use normal kadmin. -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] [RFC] New getkeytab operation: why not to use kadmin protocol?
On Thu, 2014-03-06 at 09:50 +0100, Petr Spacek wrote: On 5.3.2014 23:18, Simo Sorce wrote: Thanks for reading this far :-) I will bikeshed this thread a little bit: Can we use kadmin protocol instead of the proprietary LDAP control? You know, you already made the same question last year when I sent the first RFC patchset, the answer is in that thread :) If I remember correctly one of objections was that we do not allow admin to read the key but it is not true anymore ... And we have ticket delegation capabilities so kadmin process can use credentials of requester to contact LDAP. I really don't like ipa-getkeytab :-) It is yet another proprietary tool. I would like to allow admins experienced with Kerberos to use normal kadmin. Right, but this is not the feedback I was looking for, we already have ipa-getkeytab and now we need an additional feature this patchset provides, I'd like comments on the implmentation. When we will have a way to use kadmin the core of this code will still be relevant as we'll use the same mechanism to control who can do what. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel