<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p><br>
</p>
<br>
<div class="moz-cite-prefix">On 11.08.2016 18:57, Pavel Vomacka
wrote:<br>
</div>
<blockquote
cite="mid:2c35a975-2f44-1557-7770-cba7105e580c@redhat.com"
type="cite">
<br>
<br>
On 08/11/2016 02:00 PM, Petr Vobornik wrote:
<br>
<blockquote type="cite">On 08/11/2016 10:54 AM, Alexander Bokovoy
wrote:
<br>
<blockquote type="cite">On Thu, 11 Aug 2016, Jan Cholasta wrote:
<br>
<blockquote type="cite">On 4.8.2016 17:27, Jan Pazdziora
wrote:
<br>
<blockquote type="cite">On Wed, Aug 03, 2016 at 10:29:52AM
+0300, Alexander Bokovoy wrote:
<br>
<blockquote type="cite">Got it. One thing I would correct,
though, -- don't use
<br>
kadmin.local, we
<br>
do support setting ok_as_delegate on the service
principals via IPA
<br>
CLI:
<br>
$ ipa service-mod --help |grep -A1 ok-as-delegate
<br>
--ok-as-delegate=BOOL
<br>
Client credentials may be
delegated to the
<br>
service
<br>
</blockquote>
I've tried
<br>
<br>
ipa service-mod --ok-as-delegate=True
HTTP/$(hostname)
<br>
<br>
but that does not seem to have the same effect as
<br>
<br>
modprinc +ok_to_auth_as_delegate
HTTP/ipa.example.test
<br>
<br>
-- obtaining the delegated certificated fails.
<br>
</blockquote>
That's because ok_as_delegate and ok_to_auth_as_delegate are
different
<br>
flags.
<br>
</blockquote>
Right. The following patch adds ok_to_auth_as_delegate to the
service
<br>
principal.
<br>
<br>
I haven't added any tickets to it yet.
<br>
<br>
<br>
</blockquote>
This might deserve also nice Web UI checkbox similar to "Trusted
for
<br>
delegation". CCing Pavel.
<br>
<br>
</blockquote>
Here is patch with new checkbox. It is without ticket in commit
message so once we will have the ticket I will send another patch
witch updated commit message.
<br>
</blockquote>
<br>
<a class="moz-txt-link-freetext" href="https://fedorahosted.org/freeipa/newticket">https://fedorahosted.org/freeipa/newticket</a><br>
<br>
;-)<br>
<br>
<blockquote
cite="mid:2c35a975-2f44-1557-7770-cba7105e580c@redhat.com"
type="cite">
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
</body>
</html>