[Freeipa-devel] [PATCH] 0001 Added new authentication method

Thu Aug 11 08:54:48 UTC 2016

On Thu, 11 Aug 2016, Jan Cholasta wrote:
>On 4.8.2016 17:27, Jan Pazdziora wrote:
>>On Wed, Aug 03, 2016 at 10:29:52AM +0300, Alexander Bokovoy wrote:
>>>
>>>Got it. One thing I would correct, though, -- don't use kadmin.local, we
>>>do support setting ok_as_delegate on the service principals via IPA CLI:
>>>$ ipa service-mod --help |grep -A1 ok-as-delegate
>>> --ok-as-delegate=BOOL
>>>                       Client credentials may be delegated to the service
>>
>>I've tried
>>
>>	ipa service-mod --ok-as-delegate=True HTTP/$(hostname)
>>
>>but that does not seem to have the same effect as
>>
>>	modprinc +ok_to_auth_as_delegate HTTP/ipa.example.test
>>
>>-- obtaining the delegated certificated fails.
>
>That's because ok_as_delegate and ok_to_auth_as_delegate are different 
>flags.
Right. The following patch adds ok_to_auth_as_delegate to the service
principal.

I haven't added any tickets to it yet.
-- 
/ Alexander Bokovoy
-------------- next part --------------
From 9af1c479cf8d1862c001fccd5345bd93dd6e54a8 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy at redhat.com>
Date: Thu, 11 Aug 2016 11:52:05 +0300
Subject: [PATCH 6/6] service: add flag to allow S4U2Self

---
 API.txt                      | 12 ++++++++----
 ipaserver/plugins/service.py |  7 +++++++
 2 files changed, 15 insertions(+), 4 deletions(-)

diff --git a/API.txt b/API.txt
index 535d8ec..5b83bfb 100644
--- a/API.txt
+++ b/API.txt
@@ -2260,7 +2260,7 @@ output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
 output: Output('value', type=[<type 'bool'>])
 output: Output('warning', type=[<type 'list'>, <type 'tuple'>, <type 'NoneType'>])
 command: host_add/1
-args: 1,24,3
+args: 1,25,3
 arg: Str('fqdn', cli_name='hostname')
 option: Str('addattr*', cli_name='addattr')
 option: Flag('all', autofill=True, cli_name='all', default=False)
@@ -2269,6 +2269,7 @@ option: Flag('force', autofill=True, default=False)
 option: Str('ip_address?')
 option: Str('ipaassignedidview?')
 option: Bool('ipakrbokasdelegate?', cli_name='ok_as_delegate')
+option: Bool('ipakrboktoauthasdelegate?', cli_name='ok_to_auth_as_delegate')
 option: Bool('ipakrbrequirespreauth?', cli_name='requires_pre_auth')
 option: Str('ipasshpubkey*', cli_name='sshpubkey')
 option: Str('krbprincipalauthind*', cli_name='auth_ind')
@@ -2437,7 +2438,7 @@ output: ListOfEntries('result')
 output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
 output: Output('truncated', type=[<type 'bool'>])
 command: host_mod/1
-args: 1,25,3
+args: 1,26,3
 arg: Str('fqdn', cli_name='hostname')
 option: Str('addattr*', cli_name='addattr')
 option: Flag('all', autofill=True, cli_name='all', default=False)
@@ -2445,6 +2446,7 @@ option: Str('delattr*', cli_name='delattr')
 option: Str('description?', autofill=False, cli_name='desc')
 option: Str('ipaassignedidview?', autofill=False)
 option: Bool('ipakrbokasdelegate?', autofill=False, cli_name='ok_as_delegate')
+option: Bool('ipakrboktoauthasdelegate?', autofill=False, cli_name='ok_to_auth_as_delegate')
 option: Bool('ipakrbrequirespreauth?', autofill=False, cli_name='requires_pre_auth')
 option: Str('ipasshpubkey*', autofill=False, cli_name='sshpubkey')
 option: Str('krbprincipalauthind*', autofill=False, cli_name='auth_ind')
@@ -4293,13 +4295,14 @@ output: Entry('result')
 output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
 output: PrimaryKey('value')
 command: service_add/1
-args: 1,12,3
+args: 1,13,3
 arg: Principal('krbcanonicalname', cli_name='canonical_principal')
 option: Str('addattr*', cli_name='addattr')
 option: Flag('all', autofill=True, cli_name='all', default=False)
 option: Flag('force', autofill=True, default=False)
 option: StrEnum('ipakrbauthzdata*', cli_name='pac_type', values=[u'MS-PAC', u'PAD', u'NONE'])
 option: Bool('ipakrbokasdelegate?', cli_name='ok_as_delegate')
+option: Bool('ipakrboktoauthasdelegate?', cli_name='ok_to_auth_as_delegate')
 option: Bool('ipakrbrequirespreauth?', cli_name='requires_pre_auth')
 option: Str('krbprincipalauthind*', cli_name='auth_ind')
 option: Flag('no_members', autofill=True, default=False)
@@ -4435,13 +4438,14 @@ output: ListOfEntries('result')
 output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
 output: Output('truncated', type=[<type 'bool'>])
 command: service_mod/1
-args: 1,14,3
+args: 1,15,3
 arg: Principal('krbcanonicalname', cli_name='canonical_principal')
 option: Str('addattr*', cli_name='addattr')
 option: Flag('all', autofill=True, cli_name='all', default=False)
 option: Str('delattr*', cli_name='delattr')
 option: StrEnum('ipakrbauthzdata*', autofill=False, cli_name='pac_type', values=[u'MS-PAC', u'PAD', u'NONE'])
 option: Bool('ipakrbokasdelegate?', autofill=False, cli_name='ok_as_delegate')
+option: Bool('ipakrboktoauthasdelegate?', autofill=False, cli_name='ok_to_auth_as_delegate')
 option: Bool('ipakrbrequirespreauth?', autofill=False, cli_name='requires_pre_auth')
 option: Str('krbprincipalauthind*', autofill=False, cli_name='auth_ind')
 option: Principal('krbprincipalname*', autofill=False, cli_name='principal')
diff --git a/ipaserver/plugins/service.py b/ipaserver/plugins/service.py
index a44dcaa..04d1916 100644
--- a/ipaserver/plugins/service.py
+++ b/ipaserver/plugins/service.py
@@ -171,11 +171,18 @@ ticket_flags_params = (
         doc=_('Client credentials may be delegated to the service'),
         flags=['virtual_attribute', 'no_search'],
     ),
+    Bool('ipakrboktoauthasdelegate?',
+        cli_name='ok_to_auth_as_delegate',
+        label=_('Trusted to authenticate as user'),
+        doc=_('The service is allowed to authenticate on behalf of a client'),
+        flags=['virtual_attribute', 'no_search'],
+    ),
 )
 
 _ticket_flags_map = {
     'ipakrbrequirespreauth': 0x00000080,
     'ipakrbokasdelegate': 0x00100000,
+    'ipakrboktoauthasdelegate': 0x00200000,
 }
 
 _ticket_flags_default = _ticket_flags_map['ipakrbrequirespreauth']
-- 
2.7.4

