<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 08/17/2016 04:11 PM, Tibor Dudlak
wrote:<br>
</div>
<blockquote
cite="mid:CALKh170G0Bj-B=Fk=GAb9gZDH4r_HBTahv-n8RWwiqS1uRqBEw@mail.gmail.com"
type="cite">
<div dir="ltr">
<div class="gmail_extra"><br>
<div class="gmail_quote">On Wed, Aug 17, 2016 at 3:36 PM,
Stanislav Laznicka <span dir="ltr"><<a
moz-do-not-send="true" href="mailto:slaznick@redhat.com"
target="_blank">slaznick@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>
<div class="h5">
<div>On 08/16/2016 03:16 PM, Tibor Dudlak wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>
<div>Hi,<br>
<br>
</div>
I have edited this patch after review. It
should be okay now.<br>
<br>
</div>
Thank you.<br>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Thu, Aug 11, 2016 at
7:49 PM, Petr Vobornik <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:pvoborni@redhat.com"
target="_blank">pvoborni@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div>
<div>On 08/11/2016 07:21 PM, Martin Basti
wrote:<br>
><br>
><br>
> On 11.08.2016 18:57, Pavel Vomacka
wrote:<br>
>><br>
>><br>
>> On 08/11/2016 02:00 PM, Petr
Vobornik wrote:<br>
>>> On 08/11/2016 10:54 AM,
Alexander Bokovoy wrote:<br>
>>>> On Thu, 11 Aug 2016,
Jan Cholasta wrote:<br>
>>>>> On 4.8.2016 17:27,
Jan Pazdziora wrote:<br>
>>>>>> On Wed, Aug 03,
2016 at 10:29:52AM +0300, Alexander
Bokovoy wrote:<br>
>>>>>>> Got it. One
thing I would correct, though, -- don't
use<br>
>>>>>>>
kadmin.local, we<br>
>>>>>>> do support
setting ok_as_delegate on the service
principals via IPA<br>
>>>>>>> CLI:<br>
>>>>>>> $ ipa
service-mod --help |grep -A1
ok-as-delegate<br>
>>>>>>>
--ok-as-delegate=BOOL<br>
>>>>>>>
Client credentials may be
delegated to the<br>
>>>>>>> service<br>
>>>>>> I've tried<br>
>>>>>><br>
>>>>>> ipa
service-mod --ok-as-delegate=True
HTTP/$(hostname)<br>
>>>>>><br>
>>>>>> but that does
not seem to have the same effect as<br>
>>>>>><br>
>>>>>> modprinc
+ok_to_auth_as_delegate
HTTP/ipa.example.test<br>
>>>>>><br>
>>>>>> -- obtaining
the delegated certificated fails.<br>
>>>>> That's because
ok_as_delegate and
ok_to_auth_as_delegate are different<br>
>>>>> flags.<br>
>>>> Right. The following
patch adds ok_to_auth_as_delegate to the
service<br>
>>>> principal.<br>
>>>><br>
>>>> I haven't added any
tickets to it yet.<br>
>>>><br>
>>>><br>
>>> This might deserve also
nice Web UI checkbox similar to "Trusted
for<br>
>>> delegation". CCing Pavel.<br>
>>><br>
>> Here is patch with new
checkbox. It is without ticket in commit
message so<br>
>> once we will have the ticket I
will send another patch witch updated
commit<br>
>> message.<br>
><br>
> <a moz-do-not-send="true"
href="https://fedorahosted.org/freeipa/newticket"
rel="noreferrer" target="_blank">https://fedorahosted.org/freei<wbr>pa/newticket</a><br>
><br>
> ;-)<br>
<br>
</div>
</div>
It's prerequisite for <a
moz-do-not-send="true"
href="https://fedorahosted.org/freeipa/ticket/5764"
rel="noreferrer" target="_blank">https://fedorahosted.org/freei<wbr>pa/ticket/5764</a>
so we<br>
might use that.<br>
<div>
<div><br>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
</div>
</div>
Please, add your answers at the end of the previous mail
in the future.<br>
<br>
Also, your patch raises pep8 errors:<br>
./ipaserver/plugins/xmlserver.<wbr>py:31:80: E501 line
too long (189 > 79 characters)<br>
./ipaserver/rpcserver.py:885:<wbr>5: E113 unexpected
indentation<br>
<br>
Could you please fix them?<br>
</div>
</blockquote>
</div>
<br>
<div>
<div>
<div>Hi,<br>
<br>
</div>
thanks for review Stanislav. I understand
./ipaserver/rpcserver.py:885:<wbr>5: E113 unexpected
indentation, that is my fault but really do not understand
first one. Is there policy that you decided not to patch
existing files, even if there was obviously longer line
before patch until it is not necessary?<br>
</div>
Anyway I hope it should be ok now.<br>
<br>
</div>
Thank you.<br>
</div>
</div>
</blockquote>
<p>There's a policy to try to be pep8 compliant as much as we can
with any new patches. Your new patch would still raise some pep8
errors, please see the attached patch that should be ok. If it's
ok with you then ACK, it seems to be working.<br>
</p>
</body>
</html>