[Freeipa-devel] [PATCH] 0001 Added new authentication method
Jan Cholasta
jcholast at redhat.com
Thu Aug 11 08:44:21 UTC 2016
On 4.8.2016 17:27, Jan Pazdziora wrote:
> On Wed, Aug 03, 2016 at 10:29:52AM +0300, Alexander Bokovoy wrote:
>>
>> Got it. One thing I would correct, though, -- don't use kadmin.local, we
>> do support setting ok_as_delegate on the service principals via IPA CLI:
>> $ ipa service-mod --help |grep -A1 ok-as-delegate
>> --ok-as-delegate=BOOL
>> Client credentials may be delegated to the service
>
> I've tried
>
> ipa service-mod --ok-as-delegate=True HTTP/$(hostname)
>
> but that does not seem to have the same effect as
>
> modprinc +ok_to_auth_as_delegate HTTP/ipa.example.test
>
> -- obtaining the delegated certificated fails.
That's because ok_as_delegate and ok_to_auth_as_delegate are different
flags.
--
Jan Cholasta
More information about the Freeipa-devel
mailing list