<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 08/16/2016 03:16 PM, Tibor Dudlak
wrote:<br>
</div>
<blockquote
cite="mid:CALKh171XwfFc5kp4qUPrUhrgptkC=31AbOC=-UjDSP_4dKWo0Q@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div>Hi,<br>
<br>
</div>
I have edited this patch after review. It should be okay now.<br>
<br>
</div>
Thank you.<br>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Thu, Aug 11, 2016 at 7:49 PM, Petr
Vobornik <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:pvoborni@redhat.com" target="_blank">pvoborni@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="HOEnZb">
<div class="h5">On 08/11/2016 07:21 PM, Martin Basti
wrote:<br>
><br>
><br>
> On 11.08.2016 18:57, Pavel Vomacka wrote:<br>
>><br>
>><br>
>> On 08/11/2016 02:00 PM, Petr Vobornik wrote:<br>
>>> On 08/11/2016 10:54 AM, Alexander Bokovoy
wrote:<br>
>>>> On Thu, 11 Aug 2016, Jan Cholasta
wrote:<br>
>>>>> On 4.8.2016 17:27, Jan Pazdziora
wrote:<br>
>>>>>> On Wed, Aug 03, 2016 at
10:29:52AM +0300, Alexander Bokovoy wrote:<br>
>>>>>>> Got it. One thing I would
correct, though, -- don't use<br>
>>>>>>> kadmin.local, we<br>
>>>>>>> do support setting
ok_as_delegate on the service principals via IPA<br>
>>>>>>> CLI:<br>
>>>>>>> $ ipa service-mod --help
|grep -A1 ok-as-delegate<br>
>>>>>>> --ok-as-delegate=BOOL<br>
>>>>>>>
Client credentials may be delegated to the<br>
>>>>>>> service<br>
>>>>>> I've tried<br>
>>>>>><br>
>>>>>> ipa service-mod
--ok-as-delegate=True HTTP/$(hostname)<br>
>>>>>><br>
>>>>>> but that does not seem to have
the same effect as<br>
>>>>>><br>
>>>>>> modprinc
+ok_to_auth_as_delegate HTTP/ipa.example.test<br>
>>>>>><br>
>>>>>> -- obtaining the delegated
certificated fails.<br>
>>>>> That's because ok_as_delegate and
ok_to_auth_as_delegate are different<br>
>>>>> flags.<br>
>>>> Right. The following patch adds
ok_to_auth_as_delegate to the service<br>
>>>> principal.<br>
>>>><br>
>>>> I haven't added any tickets to it yet.<br>
>>>><br>
>>>><br>
>>> This might deserve also nice Web UI
checkbox similar to "Trusted for<br>
>>> delegation". CCing Pavel.<br>
>>><br>
>> Here is patch with new checkbox. It is without
ticket in commit message so<br>
>> once we will have the ticket I will send
another patch witch updated commit<br>
>> message.<br>
><br>
> <a moz-do-not-send="true"
href="https://fedorahosted.org/freeipa/newticket"
rel="noreferrer" target="_blank">https://fedorahosted.org/<wbr>freeipa/newticket</a><br>
><br>
> ;-)<br>
<br>
</div>
</div>
It's prerequisite for <a moz-do-not-send="true"
href="https://fedorahosted.org/freeipa/ticket/5764"
rel="noreferrer" target="_blank">https://fedorahosted.org/<wbr>freeipa/ticket/5764</a>
so we<br>
might use that.<br>
<div class="HOEnZb">
<div class="h5"><br>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
Please, add your answers at the end of the previous mail in the
future.<br>
<br>
Also, your patch raises pep8 errors:<br>
./ipaserver/plugins/xmlserver.py:31:80: E501 line too long (189 >
79 characters)<br>
./ipaserver/rpcserver.py:885:5: E113 unexpected indentation<br>
<br>
Could you please fix them?<br>
</body>
</html>