#2579 Make MS-PAC optional for IPA users
Closed: Fixed None Opened 9 years ago by abbra.

Not all IPA users need MS-PAC. Make it possible to globally/per-user specify which IPA users/groups should get MS-PAC generated

Add optional multivalued attribute to ipakrbprincipal objectclass in 61kerveros-ipav3.ldif

ipaAddAuthorizationdata should be a bitfield ?

If the attribute is not present will do domain default.
If is 0 add no auth data (no MS-PAC no PAD in future).
If it contains MS-PAC will add it.
If it contains PAD will add it.

MS-PAC defined as 0x01
PAD defined as 0x02

Add same attribute to domain object too, it will determine the default action.

Check out #3263 too, we added a temp fix in there that needs to be backed out, once we have proper support for arbitrarily mark principal in IPA as 'do not PAC'.


  • 7a20fc6 Allow to specify Kerberos authz data type per user


  • 6798ee6 Allow to specify Kerberos authz data type per user

Metadata Update from @abbra:
- Issue assigned to simo
- Issue set to the milestone: FreeIPA 4.3.1

4 years ago

Login to comment on this ticket.