[Freeipa-devel] [PATCH] 0001 Added new authentication method
Martin Basti
mbasti at redhat.com
Thu Aug 11 17:21:00 UTC 2016
On 11.08.2016 18:57, Pavel Vomacka wrote:
>
>
> On 08/11/2016 02:00 PM, Petr Vobornik wrote:
>> On 08/11/2016 10:54 AM, Alexander Bokovoy wrote:
>>> On Thu, 11 Aug 2016, Jan Cholasta wrote:
>>>> On 4.8.2016 17:27, Jan Pazdziora wrote:
>>>>> On Wed, Aug 03, 2016 at 10:29:52AM +0300, Alexander Bokovoy wrote:
>>>>>> Got it. One thing I would correct, though, -- don't use
>>>>>> kadmin.local, we
>>>>>> do support setting ok_as_delegate on the service principals via IPA
>>>>>> CLI:
>>>>>> $ ipa service-mod --help |grep -A1 ok-as-delegate
>>>>>> --ok-as-delegate=BOOL
>>>>>> Client credentials may be delegated to the
>>>>>> service
>>>>> I've tried
>>>>>
>>>>> ipa service-mod --ok-as-delegate=True HTTP/$(hostname)
>>>>>
>>>>> but that does not seem to have the same effect as
>>>>>
>>>>> modprinc +ok_to_auth_as_delegate HTTP/ipa.example.test
>>>>>
>>>>> -- obtaining the delegated certificated fails.
>>>> That's because ok_as_delegate and ok_to_auth_as_delegate are different
>>>> flags.
>>> Right. The following patch adds ok_to_auth_as_delegate to the service
>>> principal.
>>>
>>> I haven't added any tickets to it yet.
>>>
>>>
>> This might deserve also nice Web UI checkbox similar to "Trusted for
>> delegation". CCing Pavel.
>>
> Here is patch with new checkbox. It is without ticket in commit
> message so once we will have the ticket I will send another patch
> witch updated commit message.
https://fedorahosted.org/freeipa/newticket
;-)
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20160811/93cdebe0/attachment.htm>
More information about the Freeipa-devel
mailing list