freeipa

Clone
Source Code
GIT

5c0e7a5 keytab: Add new extended operation to get a keytab.

5 files Authored by simo 9 years ago, Committed by mkosek 9 years ago,
raw patch tree parent
5 files changed. 594 lines added. 1 lines removed.
daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c
file modified
+571 -0
install/share/60basev3.ldif
file modified
+3 -0
install/share/default-aci.ldif
file modified
+7 -0
install/updates/20-aci.update
file modified
+12 -1
util/ipa_krb5.h
file modified
+1 -0 
    keytab: Add new extended operation to get a keytab.
    
    This new extended operation allow to create new keys or retrieve
    existing ones. The new set of keys is returned as a ASN.1 structure
    similar to the one that is passed in by the 'set keytab' extended
    operation.
    
    Access to the operation is regulated through a new special ACI that
    allows 'retrieval' only if the user has access to an attribute named
    ipaProtectedOperation postfixed by the subtypes 'read_keys' and
    'write_keys' to distinguish between creation and retrieval operation.
    
    For example for allowing retrieval by a specific user the following ACI
    is set on cn=accounts:
    
    (targetattr="ipaProtectedOperation;read_keys") ...
     ... userattr=ipaAllowedToPerform;read_keys#USERDN)
    
    This ACI matches only if the service object hosts a new attribute named
    ipaAllowedToPerform that holds the DN of the user attempting the
    operation.
    
    Resolves:
    https://fedorahosted.org/freeipa/ticket/3859
    
    Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
file modified
+571 -0
file modified
+3 -0
file modified
+7 -0
file modified
+12 -1
file modified
+1 -0
Powered by Pagure 5.14.1
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.