Currently by default we allow HTTP to get tickets for users for LDAP. KDC uses internal ACL mechanism that limits delegation. It is currently configured at the install time. We need to expose it in the CLI and UI so that it becomes possible to configure other services to acquire tickets on behalf of other services following policies defined in IPA.
Also see #3642 and #3643
Also do #3970 when implementing this ticket.
Nathan mentioned this will be required for an OpenStack integration. Moving to earlier release.
Alexander, didn't you already have some patches for this already?
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1132540
Alexander, please see my question in comment:6...
I think this is what I had: https://abbra.fedorapeople.org/.paste/wip-service-constraints.patch
It is probably easier to rewrite the code using ideas from this patch.
Ok, thank you for the pointer. I think Martin could look at that to get some rest from DNSSEC stuff :-).
Moving to later release as it is too late for 4.1 for this change.
Related upstream discussion: http://www.redhat.com/archives/freeipa-devel/2014-September/msg00478.html
Currently, this is stretch for 4.2 - open for anyone willing to help.
Rob should have some cycles to help with this one.
Useful background information can be found in daemons/ipa-kdb/README.s4u2proxy.txt
Metadata Update from @dpal:
- Issue assigned to rcritten
- Issue set to the milestone: FreeIPA 4.2
to comment on this ticket.