#5782 ipa-kdb support for krbPrincipalAuthInd
Closed: Fixed None Opened 5 years ago by mrogers.

The MIT Kerberos LDAP KDB plugin stores the require_auth authentication indicator string in a krbPrincipalAuthInd attribute, taking preference over require_auth entries already stored in krbExtraData.
https://github.com/krb5/krb5/commit/0bdd3b8058ed4ec9acc050e316bea86f6830b15f

This same behavior needs to happen for the ipa-kdb plugin as well, per
http://www.freeipa.org/page/V4/Authentication_Indicators#Verify_Authentication_Indicators_During_Ticket_Issuance_.28TGSReq.29

This enhancement would be a dependency for https://fedorahosted.org/freeipa/ticket/433


master:

  • 8a2afca ipa_kdb: add krbPrincipalAuthInd handling

Metadata Update from @mrogers:
- Issue assigned to mrogers
- Issue set to the milestone: FreeIPA 4.4

4 years ago

Login to comment on this ticket.

Metadata