#3644 [RFE] Expose service constrained delegation rules in UI and CLI
Closed: Fixed None Opened 10 years ago by dpal.

Currently by default we allow HTTP to get tickets for users for LDAP. KDC uses internal ACL mechanism that limits delegation. It is currently configured at the install time. We need to expose it in the CLI and UI so that it becomes possible to configure other services to acquire tickets on behalf of other services following policies defined in IPA.

Also see #3642 and #3643

Also do #3970 when implementing this ticket.

Nathan mentioned this will be required for an OpenStack integration. Moving to earlier release.

Alexander, didn't you already have some patches for this already?

Alexander, please see my question in comment:6...

I think this is what I had: https://abbra.fedorapeople.org/.paste/wip-service-constraints.patch

It is probably easier to rewrite the code using ideas from this patch.

Ok, thank you for the pointer. I think Martin could look at that to get some rest from DNSSEC stuff :-).

Moving to later release as it is too late for 4.1 for this change.

Related upstream discussion: http://www.redhat.com/archives/freeipa-devel/2014-September/msg00478.html

Currently, this is stretch for 4.2 - open for anyone willing to help.

Rob should have some cycles to help with this one.

Useful background information can be found in daemons/ipa-kdb/README.s4u2proxy.txt


  • a923284 Add plugin to manage service constraint delegations

Metadata Update from @dpal:
- Issue assigned to rcritten
- Issue set to the milestone: FreeIPA 4.2

6 years ago

Login to comment on this ticket.