<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 08/17/2016 03:50 PM, Pavel Vomacka
wrote:<br>
</div>
<blockquote
cite="mid:393a23e7-a4a5-63ac-2fe7-a81fa179f824@redhat.com"
type="cite">
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
<p><br>
</p>
<br>
<div class="moz-cite-prefix">On 08/17/2016 02:42 PM, Pavel Vomacka
wrote:<br>
</div>
<blockquote
cite="mid:7352976a-17aa-7144-9952-dc9a3497801c@redhat.com"
type="cite"> <br>
<br>
On 08/11/2016 07:49 PM, Petr Vobornik wrote: <br>
<blockquote type="cite">On 08/11/2016 07:21 PM, Martin Basti
wrote: <br>
<blockquote type="cite"> <br>
On 11.08.2016 18:57, Pavel Vomacka wrote: <br>
<blockquote type="cite"> <br>
On 08/11/2016 02:00 PM, Petr Vobornik wrote: <br>
<blockquote type="cite">On 08/11/2016 10:54 AM, Alexander
Bokovoy wrote: <br>
<blockquote type="cite">On Thu, 11 Aug 2016, Jan
Cholasta wrote: <br>
<blockquote type="cite">On 4.8.2016 17:27, Jan
Pazdziora wrote: <br>
<blockquote type="cite">On Wed, Aug 03, 2016 at
10:29:52AM +0300, Alexander Bokovoy wrote: <br>
<blockquote type="cite">Got it. One thing I would
correct, though, -- don't use <br>
kadmin.local, we <br>
do support setting ok_as_delegate on the service
principals via IPA <br>
CLI: <br>
$ ipa service-mod --help |grep -A1
ok-as-delegate <br>
--ok-as-delegate=BOOL <br>
Client credentials may
be delegated to the <br>
service <br>
</blockquote>
I've tried <br>
<br>
ipa service-mod --ok-as-delegate=True
HTTP/$(hostname) <br>
<br>
but that does not seem to have the same effect as
<br>
<br>
modprinc +ok_to_auth_as_delegate
HTTP/ipa.example.test <br>
<br>
-- obtaining the delegated certificated fails. <br>
</blockquote>
That's because ok_as_delegate and
ok_to_auth_as_delegate are different <br>
flags. <br>
</blockquote>
Right. The following patch adds ok_to_auth_as_delegate
to the service <br>
principal. <br>
<br>
I haven't added any tickets to it yet. <br>
<br>
<br>
</blockquote>
This might deserve also nice Web UI checkbox similar to
"Trusted for <br>
delegation". CCing Pavel. <br>
<br>
</blockquote>
Here is patch with new checkbox. It is without ticket in
commit message so <br>
once we will have the ticket I will send another patch
witch updated commit <br>
message. <br>
</blockquote>
<a moz-do-not-send="true" class="moz-txt-link-freetext"
href="https://fedorahosted.org/freeipa/newticket">https://fedorahosted.org/freeipa/newticket</a>
<br>
<br>
;-) <br>
</blockquote>
It's prerequisite for <a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="https://fedorahosted.org/freeipa/ticket/5764">https://fedorahosted.org/freeipa/ticket/5764</a>
so we <br>
might use that. <br>
</blockquote>
Thank you, patch with updated commit message attached. <br>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
Attached patch adds checkbox also to host page.<br>
<br>
</blockquote>
<p>Thank you, works as expected. ACK.<br>
</p>
</body>
</html>