On Tue, Jan 29, 2013 at 10:13:12AM -0500, Simo Sorce wrote:
On Tue, 2013-01-29 at 14:10 +0100, Sumit Bose wrote:
= Implementation =
To avoid issues during upgrade I think all changes done to fix #3263
should be preserved, i.e. the NFS service will have a hardcoded
default
'NONE'. Otherwise the LDAP objects of the NFS services must be
modified
during upgrade.
In ipadb_sign_authdata() a call like
pre
ret = get_service_pac_type(server-princ, pac_type);
/pre
can be added, where get_service_pac_type() runs a LDAP search with a
filter like
'((objectclass=ipaService)(krbPrincipalName=SERVER_PRINCIPAL))' which
looks for the ipakrbauthzdata attribute.
In ipa-kdb we can keep around data when the principal is retrieved from
LDAP. So we should keep around data about the pac_type and then retrieve
it through krb5_entry.
If we are missing the krb5_entry we should ask MIT to change the
interface to pass it in.
ipadb_e_data is already used for extra data. I will update the page
accordingly.
bye,
Sumit
We should *not* perform additional searches, they are costly.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel