The MIT Kerberos LDAP KDB plugin stores the require_auth authentication indicator string in a krbPrincipalAuthInd attribute, taking preference over require_auth entries already stored in krbExtraData. https://github.com/krb5/krb5/commit/0bdd3b8058ed4ec9acc050e316bea86f6830b15f
This same behavior needs to happen for the ipa-kdb plugin as well, per http://www.freeipa.org/page/V4/Authentication_Indicators#Verify_Authentication_Indicators_During_Ticket_Issuance_.28TGSReq.29
This enhancement would be a dependency for https://fedorahosted.org/freeipa/ticket/433
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1224057 (Red Hat Enterprise Linux 7)
Matt sent a patch for this ticket, updating the ticket accordingly.
https://www.redhat.com/archives/freeipa-devel/2016-April/msg00063.html
master:
Metadata Update from @mrogers: - Issue assigned to mrogers - Issue set to the milestone: FreeIPA 4.4
Login to comment on this ticket.