By modifying the DAL LDAP driver it would be possible to list the services a user principal is allowed to get a ticket for. This is possible by implementing the TGS check policy callbacks.
This would allow to better constrain what some principals can actually access over a network (useful for guest accounts, temp workers, contractors, etc...) without having to modify existing applications to add access control.
The most useful case for this policy is a different required strength of authentication (1FA/2FA) required for different services. While internal wiki can be accessed with a ticket acquired via 1FA, public facing Kerberized OTP gateway should be only accessible via ticket gained by 2FA.
This work would leverage MIT Kerberos Authentication Indicator for the authentication strength information.
Blocked by #1289
Moved to December because this feature currently does not have a high priority.
Some s4u2proxy related changes were already done, but the general case is still open. Moving to January.
Moved to the backlog on Simo's request.
Merge KDC LDAP components to one.
This will be part of Nathaniel's work, thus moving to 4.1.
Related to #4498 and #3659
This requires Kerberos CAMMAC extension, which is not yet available. Pushing out to 4.3.
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1224057
master:
more patches will come
master: https://fedorahosted.org/freeipa/changeset/4ded2ffc161ec649ba1ccf8d0b528d24028080df
Reopening, a support for host object is missing. There is already a patch on a list: "[PATCH 0096] Add authentication indicators support to Host objects"
It will also need webui counterpart.
Host support pushed:
Web UI pushed in #5872
The only think missing is update of permissions.
permission part: master:
tests:
Metadata Update from @simo: - Issue assigned to npmccallum - Issue set to the milestone: FreeIPA 4.4
Login to comment on this ticket.