[Freeipa-users] User_show works from webserver, user_add ipa: ERROR: Insufficient access
Matt .
yamakasi.014 at gmail.com
Mon Jul 29 13:42:10 UTC 2013
Hi all,
Refering to this topic:
https://www.redhat.com/archives/freeipa-users/2013-July/msg00318.html
We are no able to do a show_user from a webserver on an IPA server, but
user_add gives a problem in rights.
On the IPA server there is added to the services:
HTTP/test-webserver.dev.domain.local at DEV.DOMAIN.LOCAL<https://test-zip.dev.msp.cullie.local/ipa/ui/#HTTP/test-zip-2.dev.msp.cullie.local@DEV.MSP.CULLIE.LOCAL>
We installed mod_auth_kerb on the webserver and the IPA-server and created
a keytab also on both servers.
<https://test-zip.dev.msp.cullie.local/ipa/ui/#HTTP/test-zip-2.dev.msp.cullie.local@DEV.MSP.CULLIE.LOCAL>
With our script we still get the following error because the rights that
the user has:
ipa: ERROR: Insufficient access: Insufficient 'add' privilege to the
'userPassword' attribute
When we add a user "apache" to the IPA server and give it admin rights and
set it to the "User Administrator" Role we still don't have the right
privileges to do so.
We need to setup a S4U2Proxy where we thought of that we did by installing
the mod_auth_kerb on the webserver, but this seems to be on the IPA servers.
The same question for the keytab, where do we use it when we use a simple
webserver form to add a user ? It's the same as in the topic here where
there is spoken about the "User privileges":
http://comments.gmane.org/gmane.linux.redhat.freeipa.user/8244
What do we have to do on which server ? We have put a lot of time into the
user_show part and that works, now westill need the user_add (and so on).
Has anyone some sort of sample/howto for this ?
Thanks in advance.
Matt
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20130729/94afc8d7/attachment.htm>
More information about the Freeipa-users
mailing list