mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-01-28 09:06:44 -06:00
9c0a35f1e7
As of release 1.17, KDC can be configured to apply authentication indicator for SPAKE, PKINIT, and encrypted challenge preauth via FAST channel, which are not configured in current version of freeIPA. Note that even though the value of encrypted_challenge_indicator is attached only when encrypted challenge preauth is performed along a FAST channel, it's possible to perform FAST without encrypted challenge by using SPAKE. Since there is no reason to force clients not to use SPAKE while using FAST, we made a design choice to merge SPAKE and FAST in a new option called "Hardened Password", which requires user to use at least one of SPAKE or FAST channel. Hence same value attaching to both spake_preauth_indicator and encrypted_challenge_indicator. Resolves: https://pagure.io/freeipa/issue/8001 Signed-off-by: Changmin Teng <cteng@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com> Reviewed-By: Robbie Harwood <rharwood@redhat.com> |
||
|---|---|---|
| .. | ||
| certmonger | ||
| custodia | ||
| html | ||
| migration | ||
| oddjob | ||
| restart_scripts | ||
| share | ||
| tools | ||
| ui | ||
| updates | ||
| wsgi | ||
| Makefile.am | ||
| README.schema | ||
Ground rules on adding new schema Brand new schema, particularly when written specifically for IPA, should be added in share/*.ldif. Any new files need to be explicitly loaded in ipaserver/install/dsinstance.py. These simply get copied directly into the new instance schema directory. Existing schema (e.g. in an LDAP draft) may either be added as a separate ldif in share or as an update in the updates directory. The advantage of adding the schema as an update is if 389-ds ever adds the schema then the installation won't fail due to existing schema failing to load during bootstrap. If the new schema requires a new container then this should be added to install/bootstrap-template.ldif.