[Freeipa-users] User_show works from webserver, user_add ipa: ERROR: Insufficient access
Alexander Bokovoy
abokovoy at redhat.com
Mon Jul 29 13:57:53 UTC 2013
Hi Matt,
On Mon, 29 Jul 2013, Matt . wrote:
>Hi all,
>
>Refering to this topic:
>https://www.redhat.com/archives/freeipa-users/2013-July/msg00318.html
>
>We are no able to do a show_user from a webserver on an IPA server, but
>user_add gives a problem in rights.
>
>On the IPA server there is added to the services:
>HTTP/test-webserver.dev.domain.local at DEV.DOMAIN.LOCAL<https://test-zip.dev.msp.cullie.local/ipa/ui/#HTTP/test-zip-2.dev.msp.cullie.local@DEV.MSP.CULLIE.LOCAL>
>
>We installed mod_auth_kerb on the webserver and the IPA-server and created
>a keytab also on both servers.
><https://test-zip.dev.msp.cullie.local/ipa/ui/#HTTP/test-zip-2.dev.msp.cullie.local@DEV.MSP.CULLIE.LOCAL>
>
>With our script we still get the following error because the rights that
>the user has:
>
>ipa: ERROR: Insufficient access: Insufficient 'add' privilege to the
>'userPassword' attribute
>
>When we add a user "apache" to the IPA server and give it admin rights and
>set it to the "User Administrator" Role we still don't have the right
>privileges to do so.
>
>We need to setup a S4U2Proxy where we thought of that we did by installing
>the mod_auth_kerb on the webserver, but this seems to be on the IPA servers.
>
>The same question for the keytab, where do we use it when we use a simple
>webserver form to add a user ? It's the same as in the topic here where
>there is spoken about the "User privileges":
>http://comments.gmane.org/gmane.linux.redhat.freeipa.user/8244
>
>What do we have to do on which server ? We have put a lot of time into the
>user_show part and that works, now westill need the user_add (and so on).
>
>Has anyone some sort of sample/howto for this ?
As I said on IRC, I'm working on the article which explains all that.
Stay tuned.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list