[Freeipa-devel] [PATCH] 0001 Added new authentication method
Petr Vobornik
pvoborni at redhat.com
Thu Aug 11 12:00:25 UTC 2016
On 08/11/2016 10:54 AM, Alexander Bokovoy wrote:
> On Thu, 11 Aug 2016, Jan Cholasta wrote:
>> On 4.8.2016 17:27, Jan Pazdziora wrote:
>>> On Wed, Aug 03, 2016 at 10:29:52AM +0300, Alexander Bokovoy wrote:
>>>>
>>>> Got it. One thing I would correct, though, -- don't use
>>>> kadmin.local, we
>>>> do support setting ok_as_delegate on the service principals via IPA
>>>> CLI:
>>>> $ ipa service-mod --help |grep -A1 ok-as-delegate
>>>> --ok-as-delegate=BOOL
>>>> Client credentials may be delegated to the
>>>> service
>>>
>>> I've tried
>>>
>>> ipa service-mod --ok-as-delegate=True HTTP/$(hostname)
>>>
>>> but that does not seem to have the same effect as
>>>
>>> modprinc +ok_to_auth_as_delegate HTTP/ipa.example.test
>>>
>>> -- obtaining the delegated certificated fails.
>>
>> That's because ok_as_delegate and ok_to_auth_as_delegate are different
>> flags.
> Right. The following patch adds ok_to_auth_as_delegate to the service
> principal.
>
> I haven't added any tickets to it yet.
>
>
This might deserve also nice Web UI checkbox similar to "Trusted for
delegation". CCing Pavel.
--
Petr Vobornik
More information about the Freeipa-devel
mailing list