<div dir="ltr"><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Aug 17, 2016 at 3:36 PM, Stanislav Laznicka <span dir="ltr"><<a href="mailto:slaznick@redhat.com" target="_blank">slaznick@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
  
    
  
  <div bgcolor="#FFFFFF" text="#000000"><div><div class="h5">
    <div>On 08/16/2016 03:16 PM, Tibor Dudlak
      wrote:<br>
    </div>
    <blockquote type="cite">
      <div dir="ltr">
        <div>
          <div>Hi,<br>
            <br>
          </div>
          I have edited this patch after review. It should be okay now.<br>
          <br>
        </div>
        Thank you.<br>
      </div>
      <div class="gmail_extra"><br>
        <div class="gmail_quote">On Thu, Aug 11, 2016 at 7:49 PM, Petr
          Vobornik <span dir="ltr"><<a href="mailto:pvoborni@redhat.com" target="_blank">pvoborni@redhat.com</a>></span>
          wrote:<br>
          <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
            <div>
              <div>On 08/11/2016 07:21 PM, Martin Basti
                wrote:<br>
                ><br>
                ><br>
                > On 11.08.2016 18:57, Pavel Vomacka wrote:<br>
                >><br>
                >><br>
                >> On 08/11/2016 02:00 PM, Petr Vobornik wrote:<br>
                >>> On 08/11/2016 10:54 AM, Alexander Bokovoy
                wrote:<br>
                >>>> On Thu, 11 Aug 2016, Jan Cholasta
                wrote:<br>
                >>>>> On 4.8.2016 17:27, Jan Pazdziora
                wrote:<br>
                >>>>>> On Wed, Aug 03, 2016 at
                10:29:52AM +0300, Alexander Bokovoy wrote:<br>
                >>>>>>> Got it. One thing I would
                correct, though, -- don't use<br>
                >>>>>>> kadmin.local, we<br>
                >>>>>>> do support setting
                ok_as_delegate on the service principals via IPA<br>
                >>>>>>> CLI:<br>
                >>>>>>> $ ipa service-mod --help
                |grep -A1 ok-as-delegate<br>
                >>>>>>> --ok-as-delegate=BOOL<br>
                >>>>>>>                       
                Client credentials may be delegated to the<br>
                >>>>>>> service<br>
                >>>>>> I've tried<br>
                >>>>>><br>
                >>>>>>      ipa service-mod
                --ok-as-delegate=True HTTP/$(hostname)<br>
                >>>>>><br>
                >>>>>> but that does not seem to have
                the same effect as<br>
                >>>>>><br>
                >>>>>>      modprinc
                +ok_to_auth_as_delegate HTTP/ipa.example.test<br>
                >>>>>><br>
                >>>>>> -- obtaining the delegated
                certificated fails.<br>
                >>>>> That's because ok_as_delegate and
                ok_to_auth_as_delegate are different<br>
                >>>>> flags.<br>
                >>>> Right. The following patch adds
                ok_to_auth_as_delegate to the service<br>
                >>>> principal.<br>
                >>>><br>
                >>>> I haven't added any tickets to it yet.<br>
                >>>><br>
                >>>><br>
                >>> This might deserve also nice Web UI
                checkbox similar to "Trusted for<br>
                >>> delegation". CCing Pavel.<br>
                >>><br>
                >> Here is patch with new checkbox. It is without
                ticket in commit message so<br>
                >> once we will have the ticket I will send
                another patch witch updated commit<br>
                >> message.<br>
                ><br>
                > <a href="https://fedorahosted.org/freeipa/newticket" rel="noreferrer" target="_blank">https://fedorahosted.org/freei<wbr>pa/newticket</a><br>
                ><br>
                > ;-)<br>
                <br>
              </div>
            </div>
            It's prerequisite for <a href="https://fedorahosted.org/freeipa/ticket/5764" rel="noreferrer" target="_blank">https://fedorahosted.org/freei<wbr>pa/ticket/5764</a>
            so we<br>
            might use that.<br>
            <div>
              <div><br>
              </div>
            </div>
          </blockquote>
        </div>
        <br>
      </div>
    </blockquote></div></div>
    Please, add your answers at the end of the previous mail in the
    future.<br>
    <br>
    Also, your patch raises pep8 errors:<br>
    ./ipaserver/plugins/xmlserver.<wbr>py:31:80: E501 line too long (189 >
    79 characters)<br>
    ./ipaserver/rpcserver.py:885:<wbr>5: E113 unexpected indentation<br>
    <br>
    Could you please fix them?<br>
  </div>

</blockquote></div><br><div><div><div>Hi,<br><br></div>thanks for review Stanislav. I understand 
    ./ipaserver/rpcserver.py:885:<wbr>5: E113 unexpected indentation, 
that is my fault but really do not understand first one. Is there policy
 that you decided not to patch existing files, even if there was 
obviously longer line before patch until it is not necessary?<br></div>Anyway I hope it should be ok now.<br><br></div>Thank you.<br clear="all"><br>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div>Tibor Dudlák<br></div>Intern - Identity management Special Projects<br></div>Red Hat<br><div><span><font color="#888888"></font></span></div></div></div>
</div></div>