[Freeipa-devel] [PATCH] 0001 Added new authentication method

Stanislav Laznicka slaznick at redhat.com
Wed Aug 17 13:36:36 UTC 2016 

On 08/16/2016 03:16 PM, Tibor Dudlak wrote:
> Hi,
>
> I have edited this patch after review. It should be okay now.
>
> Thank you.
>
> On Thu, Aug 11, 2016 at 7:49 PM, Petr Vobornik <pvoborni at redhat.com 
> <mailto:pvoborni at redhat.com>> wrote:
>
>     On 08/11/2016 07:21 PM, Martin Basti wrote:
>     >
>     >
>     > On 11.08.2016 18:57, Pavel Vomacka wrote:
>     >>
>     >>
>     >> On 08/11/2016 02:00 PM, Petr Vobornik wrote:
>     >>> On 08/11/2016 10:54 AM, Alexander Bokovoy wrote:
>     >>>> On Thu, 11 Aug 2016, Jan Cholasta wrote:
>     >>>>> On 4.8.2016 17:27, Jan Pazdziora wrote:
>     >>>>>> On Wed, Aug 03, 2016 at 10:29:52AM +0300, Alexander Bokovoy
>     wrote:
>     >>>>>>> Got it. One thing I would correct, though, -- don't use
>     >>>>>>> kadmin.local, we
>     >>>>>>> do support setting ok_as_delegate on the service
>     principals via IPA
>     >>>>>>> CLI:
>     >>>>>>> $ ipa service-mod --help |grep -A1 ok-as-delegate
>     >>>>>>> --ok-as-delegate=BOOL
>     >>>>>>> Client credentials may be delegated to the
>     >>>>>>> service
>     >>>>>> I've tried
>     >>>>>>
>     >>>>>>      ipa service-mod --ok-as-delegate=True HTTP/$(hostname)
>     >>>>>>
>     >>>>>> but that does not seem to have the same effect as
>     >>>>>>
>     >>>>>>      modprinc +ok_to_auth_as_delegate HTTP/ipa.example.test
>     >>>>>>
>     >>>>>> -- obtaining the delegated certificated fails.
>     >>>>> That's because ok_as_delegate and ok_to_auth_as_delegate are
>     different
>     >>>>> flags.
>     >>>> Right. The following patch adds ok_to_auth_as_delegate to the
>     service
>     >>>> principal.
>     >>>>
>     >>>> I haven't added any tickets to it yet.
>     >>>>
>     >>>>
>     >>> This might deserve also nice Web UI checkbox similar to
>     "Trusted for
>     >>> delegation". CCing Pavel.
>     >>>
>     >> Here is patch with new checkbox. It is without ticket in commit
>     message so
>     >> once we will have the ticket I will send another patch witch
>     updated commit
>     >> message.
>     >
>     > https://fedorahosted.org/freeipa/newticket
>     <https://fedorahosted.org/freeipa/newticket>
>     >
>     > ;-)
>
>     It's prerequisite for https://fedorahosted.org/freeipa/ticket/5764
>     <https://fedorahosted.org/freeipa/ticket/5764> so we
>     might use that.
>
>
Please, add your answers at the end of the previous mail in the future.

Also, your patch raises pep8 errors:
./ipaserver/plugins/xmlserver.py:31:80: E501 line too long (189 > 79 
characters)
./ipaserver/rpcserver.py:885:5: E113 unexpected indentation

Could you please fix them?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20160817/5e03a740/attachment.htm>

More information about the Freeipa-devel mailing list