[freeipa PR#851][opened] ipa-kdb: add pkinit authentication indicator in case of a successful certauth
by abbra
URL: https://github.com/freeipa/freeipa/pull/851
Author: abbra
Title: #851: ipa-kdb: add pkinit authentication indicator in case of a successful certauth
Action: opened
PR body:
"""
We automatically add 'otp' and 'radius' authentication indicators when
pre-authentication with OTP or RADIUS did succeed. Do the same for
certauth-based pre-authentication (PKINIT).
A default PKINIT configuration does not add any authentication
indicators unless 'pkinit_indicator = pkinit' is set in kdc.conf.
Unfortunately, modifying kdc.conf automatically is a bit more
complicated than modifying krb5.conf. Given that we have 'otp' and
'radius' authentication indicators also defined in the code not in the
kdc.conf, this change is following an established trend.
SSSD certauth interface does not provide additional information about
which rule(s) succeeded in matching the incoming certificate. Thus,
there is not much information we can automatically provide in the
indicator. It would be good to generate indicators that include some
information from the certmapping rules in future but for now a single
'pkinit' indicator is enough.
Fixes https://pagure.io/freeipa/issue/6736
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/851/head:pr851
git checkout pr851
7 years
[freeipa PR#812][opened] Refactoring cert-find to use API call directly instead of using
by felipevolpone
URL: https://github.com/freeipa/freeipa/pull/812
Author: felipevolpone
Title: #812: Refactoring cert-find to use API call directly instead of using
Action: opened
PR body:
"""
Refactoring cert-find to use API calls directly instead of using raw LDAP search.
Upstream ticket: https://pagure.io/freeipa/issue/6948
I removed the raw LDAP search and used the API directly. In the old code, the call ` self.obj._owners()` returns `service, hots and user`. However, when testing the code, only the service was being used, so I made it only use the service API.
If there another scenario where `user and host` are used, I thought to do something like:
```python
for owner in self.obj._owners():
api_name = owner.name
response = api.Command[api_name+'_find'](options[api_name])
... # continues
```
Is that correct?
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/812/head:pr812
git checkout pr812
7 years