#433 [RFE] TGS authorization decisions in KDC based on Authentication Indicator
Closed: Fixed None Opened 13 years ago by simo.

By modifying the DAL LDAP driver it would be possible to list the services a user principal is allowed to get a ticket for. This is possible by implementing the TGS check policy callbacks.

This would allow to better constrain what some principals can actually access over a network (useful for guest accounts, temp workers, contractors, etc...) without having to modify existing applications to add access control.

The most useful case for this policy is a different required strength of authentication (1FA/2FA) required for different services. While internal wiki can be accessed with a ticket acquired via 1FA, public facing Kerberized OTP gateway should be only accessible via ticket gained by 2FA.

This work would leverage MIT Kerberos Authentication Indicator for the authentication strength information.

Moved to December because this feature currently does not have a high priority.

Some s4u2proxy related changes were already done, but the general case is still open. Moving to January.

Moved to the backlog on Simo's request.

Merge KDC LDAP components to one.

This will be part of Nathaniel's work, thus moving to 4.1.

This requires Kerberos CAMMAC extension, which is not yet available. Pushing out to 4.3.


  • cd9bc84 Rename syncreq.[ch] to otpctrl.[ch]
  • 168a6c7 Ensure that ipa-otpd bind auths validate an OTP
  • 204200d Return password-only preauth if passwords are allowed
  • 8f356a4 Enable authentication indicators for OTP and RADIUS

more patches will come

Reopening, a support for host object is missing. There is already a patch on a list: "[PATCH 0096] Add authentication indicators support to Host objects"

It will also need webui counterpart.

Host support pushed:


  • 0855b01 Add authentication indicators support to Host objects

Web UI pushed in #5872

The only think missing is update of permissions.

permission part:

  • 97db87b host: Added permissions for auth. indicators read/modify
  • 235b19b service: Added permissions for auth. indicators read/modify



  • 0f9a5ce Tests: Tracker class for services
  • dcdbbb9 Tests: Authentication indicators xmlrpc tests
  • aab8611 Tests: Authentication indicators integration tests

Metadata Update from @simo:
- Issue assigned to npmccallum
- Issue set to the milestone: FreeIPA 4.4

7 years ago

Login to comment on this ticket.