Re: [Freeipa-devel] [PROPOSAL] Kerberos flags

2013-03-18 Thread Simo Sorce
On Sat, 2013-03-16 at 16:46 -0400, Dmitri Pal wrote: On 03/12/2013 02:02 PM, Simo Sorce wrote: On Tue, 2013-03-12 at 18:31 +0100, Jan Cholasta wrote: On 12.3.2013 18:01, Simo Sorce wrote: On Tue, 2013-03-12 at 17:31 +0100, Jan Cholasta wrote: On 12.3.2013 17:24, Simo Sorce wrote: On

Re: [Freeipa-devel] [PROPOSAL] Kerberos flags

2013-03-16 Thread Dmitri Pal
On 03/12/2013 02:02 PM, Simo Sorce wrote: On Tue, 2013-03-12 at 18:31 +0100, Jan Cholasta wrote: On 12.3.2013 18:01, Simo Sorce wrote: On Tue, 2013-03-12 at 17:31 +0100, Jan Cholasta wrote: On 12.3.2013 17:24, Simo Sorce wrote: On Tue, 2013-03-12 at 17:02 +0100, Jan Cholasta wrote: Why can't

Re: [Freeipa-devel] [PROPOSAL] Kerberos flags

2013-03-12 Thread Jan Cholasta
On 8.3.2013 20:09, Rob Crittenden wrote: Petr Spacek wrote: On 8.3.2013 16:45, Rob Crittenden wrote: One would need to pass in the object type they are dealing with: ipa krbflags --type=user --ok-as-delegate=false sbose ipa krbflags --type=service --ok-as-delegate=true HTTP/ipa.example.com

Re: [Freeipa-devel] [PROPOSAL] Kerberos flags

2013-03-12 Thread Jan Cholasta
On 8.3.2013 14:41, Simo Sorce wrote: On Fri, 2013-03-08 at 10:31 +0100, Jan Cholasta wrote: Hi, On 7.3.2013 21:15, Rob Crittenden wrote: Based on a comment from Sumit in ticket https://fedorahosted.org/freeipa/ticket/3329 here is a bare outline of how one might do it:

Re: [Freeipa-devel] [PROPOSAL] Kerberos flags

2013-03-12 Thread Rob Crittenden
Jan Cholasta wrote: On 8.3.2013 20:09, Rob Crittenden wrote: Petr Spacek wrote: On 8.3.2013 16:45, Rob Crittenden wrote: One would need to pass in the object type they are dealing with: ipa krbflags --type=user --ok-as-delegate=false sbose ipa krbflags --type=service --ok-as-delegate=true

Re: [Freeipa-devel] [PROPOSAL] Kerberos flags

2013-03-12 Thread Simo Sorce
On Tue, 2013-03-12 at 10:23 +0100, Jan Cholasta wrote: On 8.3.2013 14:41, Simo Sorce wrote: On Fri, 2013-03-08 at 10:31 +0100, Jan Cholasta wrote: Hi, On 7.3.2013 21:15, Rob Crittenden wrote: Based on a comment from Sumit in ticket https://fedorahosted.org/freeipa/ticket/3329 here is

Re: [Freeipa-devel] [PROPOSAL] Kerberos flags

2013-03-12 Thread Petr Spacek
On 12.3.2013 13:34, Simo Sorce wrote: We might, but how do you check for the global value ? An additional search for every KDC operation is simply not going to happen. Can we do that extra search only when the KDC is initialized and when configuration is refreshed? I don't think the default

Re: [Freeipa-devel] [PROPOSAL] Kerberos flags

2013-03-12 Thread Rob Crittenden
Petr Spacek wrote: On 12.3.2013 13:34, Simo Sorce wrote: We might, but how do you check for the global value ? An additional search for every KDC operation is simply not going to happen. Can we do that extra search only when the KDC is initialized and when configuration is refreshed? I

Re: [Freeipa-devel] [PROPOSAL] Kerberos flags

2013-03-12 Thread Petr Spacek
On 12.3.2013 15:39, Rob Crittenden wrote: Petr Spacek wrote: On 12.3.2013 13:34, Simo Sorce wrote: We might, but how do you check for the global value ? An additional search for every KDC operation is simply not going to happen. Can we do that extra search only when the KDC is initialized

Re: [Freeipa-devel] [PROPOSAL] Kerberos flags

2013-03-12 Thread Rob Crittenden
Petr Spacek wrote: On 12.3.2013 15:39, Rob Crittenden wrote: Petr Spacek wrote: On 12.3.2013 13:34, Simo Sorce wrote: We might, but how do you check for the global value ? An additional search for every KDC operation is simply not going to happen. Can we do that extra search only when

Re: [Freeipa-devel] [PROPOSAL] Kerberos flags

2013-03-12 Thread Sumit Bose
On Tue, Mar 12, 2013 at 08:34:33AM -0400, Simo Sorce wrote: On Tue, 2013-03-12 at 10:23 +0100, Jan Cholasta wrote: On 8.3.2013 14:41, Simo Sorce wrote: On Fri, 2013-03-08 at 10:31 +0100, Jan Cholasta wrote: Hi, On 7.3.2013 21:15, Rob Crittenden wrote: Based on a comment from

Re: [Freeipa-devel] [PROPOSAL] Kerberos flags

2013-03-12 Thread Jan Cholasta
On 12.3.2013 16:00, Rob Crittenden wrote: Petr Spacek wrote: On 12.3.2013 15:39, Rob Crittenden wrote: Petr Spacek wrote: On 12.3.2013 13:34, Simo Sorce wrote: We might, but how do you check for the global value ? An additional search for every KDC operation is simply not going to happen.

Re: [Freeipa-devel] [PROPOSAL] Kerberos flags

2013-03-12 Thread Simo Sorce
On Tue, 2013-03-12 at 15:31 +0100, Petr Spacek wrote: On 12.3.2013 13:34, Simo Sorce wrote: We might, but how do you check for the global value ? An additional search for every KDC operation is simply not going to happen. Can we do that extra search only when the KDC is initialized

Re: [Freeipa-devel] [PROPOSAL] Kerberos flags

2013-03-12 Thread Simo Sorce
On Tue, 2013-03-12 at 17:02 +0100, Jan Cholasta wrote: On 12.3.2013 16:00, Rob Crittenden wrote: Petr Spacek wrote: On 12.3.2013 15:39, Rob Crittenden wrote: Petr Spacek wrote: On 12.3.2013 13:34, Simo Sorce wrote: We might, but how do you check for the global value ? An additional

Re: [Freeipa-devel] [PROPOSAL] Kerberos flags

2013-03-12 Thread Jan Cholasta
On 12.3.2013 17:24, Simo Sorce wrote: On Tue, 2013-03-12 at 17:02 +0100, Jan Cholasta wrote: Why can't we set the bitfield (krbTicketFlags) directly? (There is an ACI preventing that, I'm just wondering what is the reason for this.) If you tell me who 'we' is (as in what user would set it) I

Re: [Freeipa-devel] [PROPOSAL] Kerberos flags

2013-03-12 Thread Jan Cholasta
On 12.3.2013 18:01, Simo Sorce wrote: On Tue, 2013-03-12 at 17:31 +0100, Jan Cholasta wrote: On 12.3.2013 17:24, Simo Sorce wrote: On Tue, 2013-03-12 at 17:02 +0100, Jan Cholasta wrote: Why can't we set the bitfield (krbTicketFlags) directly? (There is an ACI preventing that, I'm just

Re: [Freeipa-devel] [PROPOSAL] Kerberos flags

2013-03-12 Thread Simo Sorce
On Tue, 2013-03-12 at 18:31 +0100, Jan Cholasta wrote: On 12.3.2013 18:01, Simo Sorce wrote: On Tue, 2013-03-12 at 17:31 +0100, Jan Cholasta wrote: On 12.3.2013 17:24, Simo Sorce wrote: On Tue, 2013-03-12 at 17:02 +0100, Jan Cholasta wrote: Why can't we set the bitfield (krbTicketFlags)

Re: [Freeipa-devel] [PROPOSAL] Kerberos flags

2013-03-08 Thread Sumit Bose
On Thu, Mar 07, 2013 at 03:15:18PM -0500, Rob Crittenden wrote: Based on a comment from Sumit in ticket https://fedorahosted.org/freeipa/ticket/3329 here is a bare outline of how one might do it: http://freeipa.org/page/V3/Kerberos_Flags There is a bit of hand waving going on around how the

Re: [Freeipa-devel] [PROPOSAL] Kerberos flags

2013-03-08 Thread Jan Cholasta
Hi, On 7.3.2013 21:15, Rob Crittenden wrote: Based on a comment from Sumit in ticket https://fedorahosted.org/freeipa/ticket/3329 here is a bare outline of how one might do it: http://freeipa.org/page/V3/Kerberos_Flags Can we have one multi-valued attribute which contains names of flags to

Re: [Freeipa-devel] [PROPOSAL] Kerberos flags

2013-03-08 Thread Sumit Bose
On Fri, Mar 08, 2013 at 10:31:58AM +0100, Jan Cholasta wrote: Hi, On 7.3.2013 21:15, Rob Crittenden wrote: Based on a comment from Sumit in ticket https://fedorahosted.org/freeipa/ticket/3329 here is a bare outline of how one might do it: http://freeipa.org/page/V3/Kerberos_Flags Can we

Re: [Freeipa-devel] [PROPOSAL] Kerberos flags

2013-03-08 Thread Simo Sorce
On Thu, 2013-03-07 at 15:15 -0500, Rob Crittenden wrote: Based on a comment from Sumit in ticket https://fedorahosted.org/freeipa/ticket/3329 here is a bare outline of how one might do it: http://freeipa.org/page/V3/Kerberos_Flags There is a bit of hand waving going on around how the flags

Re: [Freeipa-devel] [PROPOSAL] Kerberos flags

2013-03-08 Thread Rob Crittenden
Sumit Bose wrote: On Thu, Mar 07, 2013 at 03:15:18PM -0500, Rob Crittenden wrote: Based on a comment from Sumit in ticket https://fedorahosted.org/freeipa/ticket/3329 here is a bare outline of how one might do it: http://freeipa.org/page/V3/Kerberos_Flags There is a bit of hand waving going on

Re: [Freeipa-devel] [PROPOSAL] Kerberos flags

2013-03-08 Thread Nathaniel McCallum
On Fri, 2013-03-08 at 10:27 +0100, Sumit Bose wrote: On Thu, Mar 07, 2013 at 03:15:18PM -0500, Rob Crittenden wrote: Based on a comment from Sumit in ticket https://fedorahosted.org/freeipa/ticket/3329 here is a bare outline of how one might do it: http://freeipa.org/page/V3/Kerberos_Flags

Re: [Freeipa-devel] [PROPOSAL] Kerberos flags

2013-03-08 Thread Petr Spacek
On 8.3.2013 16:45, Rob Crittenden wrote: One would need to pass in the object type they are dealing with: ipa krbflags --type=user --ok-as-delegate=false sbose ipa krbflags --type=service --ok-as-delegate=true HTTP/ipa.example.com We *could* avoid type potentially but it would expand our

Re: [Freeipa-devel] [PROPOSAL] Kerberos flags

2013-03-08 Thread Sumit Bose
On Fri, Mar 08, 2013 at 12:28:03PM -0500, Nathaniel McCallum wrote: On Fri, 2013-03-08 at 10:27 +0100, Sumit Bose wrote: On Thu, Mar 07, 2013 at 03:15:18PM -0500, Rob Crittenden wrote: Based on a comment from Sumit in ticket https://fedorahosted.org/freeipa/ticket/3329 here is a bare

Re: [Freeipa-devel] [PROPOSAL] Kerberos flags

2013-03-08 Thread Nathaniel McCallum
On Fri, 2013-03-08 at 18:53 +0100, Sumit Bose wrote: On Fri, Mar 08, 2013 at 12:28:03PM -0500, Nathaniel McCallum wrote: On Fri, 2013-03-08 at 10:27 +0100, Sumit Bose wrote: On Thu, Mar 07, 2013 at 03:15:18PM -0500, Rob Crittenden wrote: Based on a comment from Sumit in ticket

Re: [Freeipa-devel] [PROPOSAL] Kerberos flags

2013-03-08 Thread Rob Crittenden
Petr Spacek wrote: On 8.3.2013 16:45, Rob Crittenden wrote: One would need to pass in the object type they are dealing with: ipa krbflags --type=user --ok-as-delegate=false sbose ipa krbflags --type=service --ok-as-delegate=true HTTP/ipa.example.com We *could* avoid type potentially but it