freeipa

FreeIPA is an integrated Identity and Authentication solution for Linux/UNIX networked environments.  |  http://www.freeipa.org/

#3644 [RFE] Expose service constrained delegation rules in UI and CLI

Created 5 years ago by dpal
Modified 2 years ago

Currently by default we allow HTTP to get tickets for users for LDAP. KDC uses internal ACL mechanism that limits delegation. It is currently configured at the install time. We need to expose it in the CLI and UI so that it becomes possible to configure other services to acquire tickets on behalf of other services following policies defined in IPA.

Also see #3642 and #3643

Also do #3970 when implementing this ticket.

Nathan mentioned this will be required for an OpenStack integration. Moving to earlier release.

Alexander, didn't you already have some patches for this already?

Alexander, please see my question in comment:6...

I think this is what I had: https://abbra.fedorapeople.org/.paste/wip-service-constraints.patch

It is probably easier to rewrite the code using ideas from this patch.

Ok, thank you for the pointer. I think Martin could look at that to get some rest from DNSSEC stuff :-).

Moving to later release as it is too late for 4.1 for this change.

Related upstream discussion: http://www.redhat.com/archives/freeipa-devel/2014-September/msg00478.html

Currently, this is stretch for 4.2 - open for anyone willing to help.

Rob should have some cycles to help with this one.

Useful background information can be found in daemons/ipa-kdb/README.s4u2proxy.txt

master:

  • a923284 Add plugin to manage service constraint delegations
2 years ago

Metadata Update from @dpal:
- Issue assigned to rcritten
- Issue set to the milestone: FreeIPA 4.2

Login to comment on this ticket.

enhancement

Management framework

1

mbasti

https://bugzilla.redhat.com/show_bug.cgi?id=1132540

http://www.freeipa.org/page/V4/Service_Constraint_Delegation

cancel