This is a follow up to ticket #2184. Service entries in LDAP can now contain an attribute ipaKrbAuthzData with PAC types that should be used for it.
ipaKrbAuthzData
The attribute can be either set when the service entry is created with --pad-type option or it is assigned a default value stored in IPA config entry in LDAP (MS-PAC by default).
--pad-type
When working on this ticket, we need to also allow NONE value in the service object to mark service where no PAC is wanted:
(04:58:37 PM) simo: There should be a NONE value for when NO PAC is wanted (04:58:55 PM) simo: at least per-service (04:59:13 PM) simo: for the global it makes little to no sense, but I would still allow it
Changing 3.2 priority
UI design is not needed here, because it is covered in other tickets.
Move all uncompleted tickets to next month bucket.
master:
331856b Allow 'nfs:NONE' in global configuration[[BR]] 5f3142c Mention PAC issue with NFS in service plugin doc[[BR]] efd4d80 Add unit test for get_authz_data_types()[[BR]] 4e34682 ipa-kdb: add PAC only if requested[[BR]] 3eb64f0 ipa-kdb: Read ipaKrbAuthzData with other principal data[[BR]] d5216d5 ipa-kdb: Read global defaul ipaKrbAuthzData[[BR]] 2d90724 Add NFS specific default for authorization data type[[BR]] 15cc21c Revert "MS-PAC: Special case NFS services"[[BR]]
Seems like #2579 is a dup of this one.
This ticket focuses on services, 2579 refers to users and groups.
Rename "trusts" component to "Trusts" to achieve correct sorting.
Metadata Update from @mkosek: - Issue assigned to sbose - Issue set to the milestone: FreeIPA 3.2 - 2013/03
Login to comment on this ticket.