diff options
| author | Simo Sorce <simo@redhat.com> | 2013-09-17 00:30:14 -0400 |
|---|---|---|
| committer | Martin Kosek <mkosek@redhat.com> | 2014-06-26 10:30:53 +0200 |
| commit | 5c0e7a5fb420377dcc06a956695afdcb35196444 (patch) | |
| tree | 20458627de698dcb7dbc2b06c00ab9ea155c5b99 /util | |
| parent | 88bcf5899c3bd12b05d017436df0fc1374c954a5 (diff) | |
| download | freeipa-5c0e7a5fb420377dcc06a956695afdcb35196444.tar.gz freeipa-5c0e7a5fb420377dcc06a956695afdcb35196444.tar.xz freeipa-5c0e7a5fb420377dcc06a956695afdcb35196444.zip | |
keytab: Add new extended operation to get a keytab.
This new extended operation allow to create new keys or retrieve
existing ones. The new set of keys is returned as a ASN.1 structure
similar to the one that is passed in by the 'set keytab' extended
operation.
Access to the operation is regulated through a new special ACI that
allows 'retrieval' only if the user has access to an attribute named
ipaProtectedOperation postfixed by the subtypes 'read_keys' and
'write_keys' to distinguish between creation and retrieval operation.
For example for allowing retrieval by a specific user the following ACI
is set on cn=accounts:
(targetattr="ipaProtectedOperation;read_keys") ...
... userattr=ipaAllowedToPerform;read_keys#USERDN)
This ACI matches only if the service object hosts a new attribute named
ipaAllowedToPerform that holds the DN of the user attempting the
operation.
Resolves:
https://fedorahosted.org/freeipa/ticket/3859
Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com>
Diffstat (limited to 'util')
| -rw-r--r-- | util/ipa_krb5.h | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/util/ipa_krb5.h b/util/ipa_krb5.h index 7fb035572..2431fd70b 100644 --- a/util/ipa_krb5.h +++ b/util/ipa_krb5.h @@ -27,6 +27,7 @@ struct keys_container { #define KEYTAB_SET_OID "2.16.840.1.113730.3.8.10.1" #define KEYTAB_RET_OID "2.16.840.1.113730.3.8.10.2" +#define KEYTAB_GET_OID "2.16.840.1.113730.3.8.10.5" void ipa_krb5_free_ktypes(krb5_context context, krb5_enctype *val); |