mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-27 09:21:59 -06:00
5c0e7a5fb4
This new extended operation allow to create new keys or retrieve existing ones. The new set of keys is returned as a ASN.1 structure similar to the one that is passed in by the 'set keytab' extended operation. Access to the operation is regulated through a new special ACI that allows 'retrieval' only if the user has access to an attribute named ipaProtectedOperation postfixed by the subtypes 'read_keys' and 'write_keys' to distinguish between creation and retrieval operation. For example for allowing retrieval by a specific user the following ACI is set on cn=accounts: (targetattr="ipaProtectedOperation;read_keys") ... ... userattr=ipaAllowedToPerform;read_keys#USERDN) This ACI matches only if the service object hosts a new attribute named ipaAllowedToPerform that holds the DN of the user attempting the operation. Resolves: https://fedorahosted.org/freeipa/ticket/3859 Reviewed-By: Nathaniel McCallum <npmccallum@redhat.com> |
||
|---|---|---|
| .. | ||
| common | ||
| ipa-cldap | ||
| ipa-dns | ||
| ipa-enrollment | ||
| ipa-extdom-extop | ||
| ipa-lockout | ||
| ipa-modrdn | ||
| ipa-otp-lasttoken | ||
| ipa-pwd-extop | ||
| ipa-range-check | ||
| ipa-sidgen | ||
| ipa-uuid | ||
| ipa-version | ||
| ipa-winsync | ||
| libotp | ||
| Makefile.am | ||
| README | ||