<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p><br>
</p>
<br>
<div class="moz-cite-prefix">On 08/17/2016 02:42 PM, Pavel Vomacka
wrote:<br>
</div>
<blockquote
cite="mid:7352976a-17aa-7144-9952-dc9a3497801c@redhat.com"
type="cite">
<br>
<br>
On 08/11/2016 07:49 PM, Petr Vobornik wrote:
<br>
<blockquote type="cite">On 08/11/2016 07:21 PM, Martin Basti
wrote:
<br>
<blockquote type="cite">
<br>
On 11.08.2016 18:57, Pavel Vomacka wrote:
<br>
<blockquote type="cite">
<br>
On 08/11/2016 02:00 PM, Petr Vobornik wrote:
<br>
<blockquote type="cite">On 08/11/2016 10:54 AM, Alexander
Bokovoy wrote:
<br>
<blockquote type="cite">On Thu, 11 Aug 2016, Jan Cholasta
wrote:
<br>
<blockquote type="cite">On 4.8.2016 17:27, Jan Pazdziora
wrote:
<br>
<blockquote type="cite">On Wed, Aug 03, 2016 at
10:29:52AM +0300, Alexander Bokovoy wrote:
<br>
<blockquote type="cite">Got it. One thing I would
correct, though, -- don't use
<br>
kadmin.local, we
<br>
do support setting ok_as_delegate on the service
principals via IPA
<br>
CLI:
<br>
$ ipa service-mod --help |grep -A1 ok-as-delegate
<br>
--ok-as-delegate=BOOL
<br>
Client credentials may be
delegated to the
<br>
service
<br>
</blockquote>
I've tried
<br>
<br>
ipa service-mod --ok-as-delegate=True
HTTP/$(hostname)
<br>
<br>
but that does not seem to have the same effect as
<br>
<br>
modprinc +ok_to_auth_as_delegate
HTTP/ipa.example.test
<br>
<br>
-- obtaining the delegated certificated fails.
<br>
</blockquote>
That's because ok_as_delegate and
ok_to_auth_as_delegate are different
<br>
flags.
<br>
</blockquote>
Right. The following patch adds ok_to_auth_as_delegate
to the service
<br>
principal.
<br>
<br>
I haven't added any tickets to it yet.
<br>
<br>
<br>
</blockquote>
This might deserve also nice Web UI checkbox similar to
"Trusted for
<br>
delegation". CCing Pavel.
<br>
<br>
</blockquote>
Here is patch with new checkbox. It is without ticket in
commit message so
<br>
once we will have the ticket I will send another patch witch
updated commit
<br>
message.
<br>
</blockquote>
<a class="moz-txt-link-freetext" href="https://fedorahosted.org/freeipa/newticket">https://fedorahosted.org/freeipa/newticket</a>
<br>
<br>
;-)
<br>
</blockquote>
It's prerequisite for
<a class="moz-txt-link-freetext" href="https://fedorahosted.org/freeipa/ticket/5764">https://fedorahosted.org/freeipa/ticket/5764</a> so we
<br>
might use that.
<br>
</blockquote>
Thank you, patch with updated commit message attached.
<br>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
Attached patch adds checkbox also to host page.<br>
<pre class="moz-signature" cols="72">--
Pavel^3 Vomacka</pre>
</body>
</html>