[Freeipa-users] User_show works from webserver, user_add ipa: ERROR: Insufficient access
Dmitri Pal
dpal at redhat.com
Tue Jul 30 11:41:54 UTC 2013
On 07/29/2013 03:02 PM, Alexander Bokovoy wrote:
> Hi!
>
> On Mon, 29 Jul 2013, Matt . wrote:
>> Hi Alexander,
>>
>> That is great!
>>
>> I hope that someone can find this topic and use it as reference as it
>> tool
>> us some time to find the other one :)
> You can find my blog post here:
> http://vda.li/en/posts/2013/07/29/Setting-up-S4U2Proxy-with-FreeIPA/index.html
>
>
> Hope it helps. I've tested the scenario on Fedora 19.
I added it to the HOWTO section on wiki.
http://www.freeipa.org/page/Howto/Setting_up_S4U2Proxy_with_FreeIPA
>
>>
>> Thanks!
>>
>> Cheers,
>>
>> Matt
>>
>> 2013/7/29 Alexander Bokovoy <abokovoy at redhat.com>
>>
>>> Hi Matt,
>>>
>>>
>>> On Mon, 29 Jul 2013, Matt . wrote:
>>>
>>>> Hi all,
>>>>
>>>> Refering to this topic:
>>>> https://www.redhat.com/**archives/freeipa-users/2013-**July/msg00318.html<https://www.redhat.com/archives/freeipa-users/2013-July/msg00318.html>
>>>>
>>>>
>>>> We are no able to do a show_user from a webserver on an IPA server,
>>>> but
>>>> user_add gives a problem in rights.
>>>>
>>>> On the IPA server there is added to the services:
>>>> HTTP/test-webserver.dev.**domain.local at DEV.DOMAIN.LOCAL<**
>>>> https://test-zip.dev.msp.**cullie.local/ipa/ui/#HTTP/**
>>>> test-zip-2.dev.msp.cullie.**local at DEV.MSP.CULLIE.LOCAL<https://test-zip.dev.msp.cullie.local/ipa/ui/#HTTP/test-zip-2.dev.msp.cullie.local@DEV.MSP.CULLIE.LOCAL>
>>>>
>>>> >
>>>>
>>>>
>>>> We installed mod_auth_kerb on the webserver and the IPA-server and
>>>> created
>>>> a keytab also on both servers.
>>>> <https://test-zip.dev.msp.**cullie.local/ipa/ui/#HTTP/**
>>>> test-zip-2.dev.msp.cullie.**local at DEV.MSP.CULLIE.LOCAL<https://test-zip.dev.msp.cullie.local/ipa/ui/#HTTP/test-zip-2.dev.msp.cullie.local@DEV.MSP.CULLIE.LOCAL>
>>>>
>>>> >
>>>>
>>>>
>>>> With our script we still get the following error because the rights
>>>> that
>>>> the user has:
>>>>
>>>> ipa: ERROR: Insufficient access: Insufficient 'add' privilege to the
>>>> 'userPassword' attribute
>>>>
>>>> When we add a user "apache" to the IPA server and give it admin
>>>> rights and
>>>> set it to the "User Administrator" Role we still don't have the right
>>>> privileges to do so.
>>>>
>>>> We need to setup a S4U2Proxy where we thought of that we did by
>>>> installing
>>>> the mod_auth_kerb on the webserver, but this seems to be on the IPA
>>>> servers.
>>>>
>>>> The same question for the keytab, where do we use it when we use a
>>>> simple
>>>> webserver form to add a user ? It's the same as in the topic here
>>>> where
>>>> there is spoken about the "User privileges":
>>>> http://comments.gmane.org/**gmane.linux.redhat.freeipa.**user/8244<http://comments.gmane.org/gmane.linux.redhat.freeipa.user/8244>
>>>>
>>>>
>>>> What do we have to do on which server ? We have put a lot of time
>>>> into the
>>>> user_show part and that works, now westill need the user_add (and
>>>> so on).
>>>>
>>>> Has anyone some sort of sample/howto for this ?
>>>>
>>> As I said on IRC, I'm working on the article which explains all that.
>>> Stay tuned.
>>>
>>>
>>> --
>>> / Alexander Bokovoy
>>>
>
>
>
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeipa-users
mailing list