URL: https://github.com/freeipa/freeipa/pull/2147 Author: frozencemetery Title: #2147: Add a skeleton kdcpolicy plugin Action: opened
PR body: """ Signed-off-by: Robbie Harwood rharwood@redhat.com
Back in krb5-1.16 (and in RHEL-7.5), I added the [kdcpolicy plugin](http://web.mit.edu/kerberos/krb5-devel/doc/plugindev/kdcpolicy.html) to krb5. This interface allows a module to hook all AS and TGS requests, potentially reject them, and manipulate ticket lifetimes. This PR is a basic implementation of the interface, with all the plumbing IPA needs to get it loaded and installed.
There are two use cases I had in mind, though of course many more are possible (this is a very powerful place to have a hook into the KDC):
- Reduced ticket lifetimes based on [auth indicator](http://web.mit.edu/kerberos/krb5-devel/doc/admin/auth_indicator.html) - Adding (well, subtracting) random jitter from certain principal lifetimes to reduce contention from groups of tickets all needing renewal simultaneously
Since presumably we don't want any of that to be hardcoded behavior, the difficult part is now making it all configurable. (As well as figuring out any behavior we want to control at the moment). Per IRC conversation, I'm opening this PR so that we have something to look at while we discuss that. """
To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/2147/head:pr2147 git checkout pr2147
URL: https://github.com/freeipa/freeipa/pull/2147 Author: frozencemetery Title: #2147: Add a skeleton kdcpolicy plugin Action: closed
To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/2147/head:pr2147 git checkout pr2147
freeipa-devel@lists.stg.fedorahosted.org