[freeipa PR#2147][opened] Add a skeleton kdcpolicy plugin
by frozencemetery
URL: https://github.com/freeipa/freeipa/pull/2147
Author: frozencemetery
Title: #2147: Add a skeleton kdcpolicy plugin
Action: opened
PR body:
"""
Signed-off-by: Robbie Harwood <rharwood(a)redhat.com>
Back in krb5-1.16 (and in RHEL-7.5), I added the [kdcpolicy plugin](http://web.mit.edu/kerberos/krb5-devel/doc/plugindev/kdcpolicy.html) to krb5. This interface allows a module to hook all AS and TGS requests, potentially reject them, and manipulate ticket lifetimes. This PR is a basic implementation of the interface, with all the plumbing IPA needs to get it loaded and installed.
There are two use cases I had in mind, though of course many more are possible (this is a very powerful place to have a hook into the KDC):
- Reduced ticket lifetimes based on [auth indicator](http://web.mit.edu/kerberos/krb5-devel/doc/admin/auth_indicato...
- Adding (well, subtracting) random jitter from certain principal lifetimes to reduce contention from groups of tickets all needing renewal simultaneously
Since presumably we don't want any of that to be hardcoded behavior, the difficult part is now making it all configurable. (As well as figuring out any behavior we want to control at the moment). Per IRC conversation, I'm opening this PR so that we have something to look at while we discuss that.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/2147/head:pr2147
git checkout pr2147
4 years, 8 months
wiki group
by Manuela Silva
Hi,
I am a Portuguese translator and new for FreeIPA and I would like to ask to be added into editor wiki group please?
Thank you.
Sincerely,
Manuela Silva
4 years, 8 months
FreeIPA
by Manuela Silva
Hi,
I am a Portuguese translator and new for FreeIPA and I would like to ask to be added into editor wiki group please?
Thank you.
Sincerely,
Manuela Silva
4 years, 8 months
[freeipa PR#3542][opened] extdom: unify error code handling especially LDAP_NO_SUCH_OBJECT
by sumit-bose
URL: https://github.com/freeipa/freeipa/pull/3542
Author: sumit-bose
Title: #3542: extdom: unify error code handling especially LDAP_NO_SUCH_OBJECT
Action: opened
PR body:
"""
A return code LDAP_NO_SUCH_OBJECT will tell SSSD on the IPA client to
remove the searched object from the cache. As a consequence
LDAP_NO_SUCH_OBJECT should only be returned if the object really does
not exists otherwise the data of existing objects might be removed form
the cache of the clients causing unexpected behaviour like
authentication errors.
Currently some code-paths use LDAP_NO_SUCH_OBJECT as default error code.
With this patch LDAP_NO_SUCH_OBJECT is only returned if the related
lookup functions return ENOENT. Timeout related error code will lead to
LDAP_TIMELIMIT_EXCEEDED and LDAP_OPERATIONS_ERROR is used as default
error code.
Related to https://pagure.io/freeipa/issue/8044
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/3542/head:pr3542
git checkout pr3542
4 years, 8 months
