[Freeipa-users] User_show works from webserver, user_add ipa: ERROR: Insufficient access
Alexander Bokovoy
abokovoy at redhat.com
Tue Jul 30 15:52:25 UTC 2013
On Tue, 30 Jul 2013, Dmitri Pal wrote:
>On 07/30/2013 08:17 AM, Matt . wrote:
>> Hi Dimitri,
>>
>> It's a good tuturial but I'm kinda stuck (and new to that part)
>>
>> What we seem to need is:
>>
>> A -> B -> C -> D
>> A= user(running one) B= Webserver C=IPAserver D= LDAP on IPAserver
>>
>> I thought we didn't need the C -> D part because this is what IPA
>> does. We actually need the A -> B -> C part exectured from a php
>> script to add a user with user_add.
>>
>> More details about that are welcome.
>
>You use the article but instead of accessing LDAP directly you need to
>access ipa web sever because you will be running IPA commands and not
>LDAP queries.
>So you instead of using |ldap/ipa.example.com| principal as outlined in
>the article you configure aquision of tickets for |http/ipa.example.com|.
>Makes sense?
Yes and Matt actually solved his problem on IRC and now is happily deploying
his servers. :)
I'll extend the article to cover the case when you need to talk to both
LDAP and IPA server XML-RPC/JSON API.
Ideally we need to introduce some commands to manage delegations between
services. An RFE ticket for CLI?
>
>>
>> Thanks!
>>
>> Cheers,
>>
>> Matt
>>
>>
>> 2013/7/30 Dmitri Pal <dpal at redhat.com <mailto:dpal at redhat.com>>
>>
>> On 07/29/2013 03:02 PM, Alexander Bokovoy wrote:
>> > Hi!
>> >
>> > On Mon, 29 Jul 2013, Matt . wrote:
>> >> Hi Alexander,
>> >>
>> >> That is great!
>> >>
>> >> I hope that someone can find this topic and use it as reference
>> as it
>> >> tool
>> >> us some time to find the other one :)
>> > You can find my blog post here:
>> >
>> http://vda.li/en/posts/2013/07/29/Setting-up-S4U2Proxy-with-FreeIPA/index.html
>> >
>> >
>> > Hope it helps. I've tested the scenario on Fedora 19.
>>
>> I added it to the HOWTO section on wiki.
>> http://www.freeipa.org/page/Howto/Setting_up_S4U2Proxy_with_FreeIPA
>>
>> >
>> >>
>> >> Thanks!
>> >>
>> >> Cheers,
>> >>
>> >> Matt
>> >>
>> >> 2013/7/29 Alexander Bokovoy <abokovoy at redhat.com
>> <mailto:abokovoy at redhat.com>>
>> >>
>> >>> Hi Matt,
>> >>>
>> >>>
>> >>> On Mon, 29 Jul 2013, Matt . wrote:
>> >>>
>> >>>> Hi all,
>> >>>>
>> >>>> Refering to this topic:
>> >>>>
>> https://www.redhat.com/**archives/freeipa-users/2013-**July/msg00318.html<https://www.redhat.com/archives/freeipa-users/2013-July/msg00318.html>
>> >>>>
>> >>>>
>> >>>> We are no able to do a show_user from a webserver on an IPA
>> server,
>> >>>> but
>> >>>> user_add gives a problem in rights.
>> >>>>
>> >>>> On the IPA server there is added to the services:
>> >>>> HTTP/test-webserver.dev.**domain.local at DEV.DOMAIN.LOCAL<**
>> >>>> https://test-zip.dev.msp.**cullie.local/ipa/ui/#HTTP/**
>> >>>>
>> test-zip-2.dev.msp.cullie.**local at DEV.MSP.CULLIE.LOCAL<https://test-zip.dev.msp.cullie.local/ipa/ui/#HTTP/test-zip-2.dev.msp.cullie.local@DEV.MSP.CULLIE.LOCAL>
>> >>>>
>> >>>> >
>> >>>>
>> >>>>
>> >>>> We installed mod_auth_kerb on the webserver and the
>> IPA-server and
>> >>>> created
>> >>>> a keytab also on both servers.
>> >>>> <https://test-zip.dev.msp.**cullie.local/ipa/ui/#HTTP/**
>> >>>>
>> test-zip-2.dev.msp.cullie.**local at DEV.MSP.CULLIE.LOCAL<https://test-zip.dev.msp.cullie.local/ipa/ui/#HTTP/test-zip-2.dev.msp.cullie.local@DEV.MSP.CULLIE.LOCAL>
>> >>>>
>> >>>> >
>> >>>>
>> >>>>
>> >>>> With our script we still get the following error because the
>> rights
>> >>>> that
>> >>>> the user has:
>> >>>>
>> >>>> ipa: ERROR: Insufficient access: Insufficient 'add' privilege
>> to the
>> >>>> 'userPassword' attribute
>> >>>>
>> >>>> When we add a user "apache" to the IPA server and give it admin
>> >>>> rights and
>> >>>> set it to the "User Administrator" Role we still don't have
>> the right
>> >>>> privileges to do so.
>> >>>>
>> >>>> We need to setup a S4U2Proxy where we thought of that we did by
>> >>>> installing
>> >>>> the mod_auth_kerb on the webserver, but this seems to be on
>> the IPA
>> >>>> servers.
>> >>>>
>> >>>> The same question for the keytab, where do we use it when we
>> use a
>> >>>> simple
>> >>>> webserver form to add a user ? It's the same as in the topic here
>> >>>> where
>> >>>> there is spoken about the "User privileges":
>> >>>>
>> http://comments.gmane.org/**gmane.linux.redhat.freeipa.**user/8244<http://comments.gmane.org/gmane.linux.redhat.freeipa.user/8244>
>> >>>>
>> >>>>
>> >>>> What do we have to do on which server ? We have put a lot of time
>> >>>> into the
>> >>>> user_show part and that works, now westill need the user_add
>> (and
>> >>>> so on).
>> >>>>
>> >>>> Has anyone some sort of sample/howto for this ?
>> >>>>
>> >>> As I said on IRC, I'm working on the article which explains
>> all that.
>> >>> Stay tuned.
>> >>>
>> >>>
>> >>> --
>> >>> / Alexander Bokovoy
>> >>>
>> >
>> >
>> >
>>
>>
>> --
>> Thank you,
>> Dmitri Pal
>>
>> Sr. Engineering Manager for IdM portfolio
>> Red Hat Inc.
>>
>>
>> -------------------------------
>> Looking to carve out IT costs?
>> www.redhat.com/carveoutcosts/ <http://www.redhat.com/carveoutcosts/>
>>
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>>
>
>
>--
>Thank you,
>Dmitri Pal
>
>Sr. Engineering Manager for IdM portfolio
>Red Hat Inc.
>
>
>-------------------------------
>Looking to carve out IT costs?
>www.redhat.com/carveoutcosts/
>
>
>
>_______________________________________________
>Freeipa-users mailing list
>Freeipa-users at redhat.com
>https://www.redhat.com/mailman/listinfo/freeipa-users
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list