keytab: Add new extended operation to get a keytab.

This new extended operation allow to create new keys or retrieve
existing ones.
The new set of keys is returned as a ASN.1 structure similar to the one
that is passed in by the 'set keytab' extended operation.

Access to the operation is regulated through a new special ACI that
allows 'retrieval' only if the user has access to an attribute
named ipaProtectedOperation postfixed by the subtypes 'read_keys' and
'write_keys' to distinguish between creation and retrieval operation.

For example for allowing retrieval by a specific user the following ACI
is set on cn=accounts:

(targetattr="ipaProtectedOperation;read_keys") ...
 ... userattr=ipaAllowedToPerform;read_keys#USERDN)

This ACI matches only if the service object hosts a new attribute named
ipaAllowedToPerform that holds the DN of the user attempting the operation.

Resolves:
https://fedorahosted.org/freeipa/ticket/3859

0 files changed, 0 insertions, 0 deletions