attribute to require pkinit?
Sam Hartman
hartmans at MIT.EDU
Wed Nov 29 14:06:05 EST 2006
>>>>> "Nicolas" == Nicolas Williams <Nicolas.Williams at sun.com> writes:
Nicolas> On Wed, Nov 29, 2006 at 12:54:05PM -0500, Sam Hartman
Nicolas> wrote:
>> >>>>> "Ken" == Ken Renard <kdrenard at wareonearth.com> writes:
>>
Ken> How about an attribute that lists the acceptable preauth
Ken> types for a user [combined with preauth_required flag]? The
Ken> "hw_auth" flag would be a complementary attribute that might
Ken> limit the acceptable client certificates to those known to be
Ken> on a smartcard.
>>
>>
>> This is both clearly the right answer and very difficult to
>> implement, which is why I did not mention it.
Nicolas> Why is it difficult to implement? Because of the LDAP
Nicolas> KDB backend?
More because of the kadm5 API and the db2 backend.
I think the LDAP side is easy.
More information about the krbdev
mailing list