[Freeipa-devel] [PATCH] 0001 Added new authentication method
Stanislav Laznicka
slaznick at redhat.com
Wed Aug 17 14:33:35 UTC 2016
On 08/17/2016 04:11 PM, Tibor Dudlak wrote:
>
> On Wed, Aug 17, 2016 at 3:36 PM, Stanislav Laznicka
> <slaznick at redhat.com <mailto:slaznick at redhat.com>> wrote:
>
> On 08/16/2016 03:16 PM, Tibor Dudlak wrote:
>> Hi,
>>
>> I have edited this patch after review. It should be okay now.
>>
>> Thank you.
>>
>> On Thu, Aug 11, 2016 at 7:49 PM, Petr Vobornik
>> <pvoborni at redhat.com <mailto:pvoborni at redhat.com>> wrote:
>>
>> On 08/11/2016 07:21 PM, Martin Basti wrote:
>> >
>> >
>> > On 11.08.2016 18:57, Pavel Vomacka wrote:
>> >>
>> >>
>> >> On 08/11/2016 02:00 PM, Petr Vobornik wrote:
>> >>> On 08/11/2016 10:54 AM, Alexander Bokovoy wrote:
>> >>>> On Thu, 11 Aug 2016, Jan Cholasta wrote:
>> >>>>> On 4.8.2016 17:27, Jan Pazdziora wrote:
>> >>>>>> On Wed, Aug 03, 2016 at 10:29:52AM +0300, Alexander
>> Bokovoy wrote:
>> >>>>>>> Got it. One thing I would correct, though, -- don't use
>> >>>>>>> kadmin.local, we
>> >>>>>>> do support setting ok_as_delegate on the service
>> principals via IPA
>> >>>>>>> CLI:
>> >>>>>>> $ ipa service-mod --help |grep -A1 ok-as-delegate
>> >>>>>>> --ok-as-delegate=BOOL
>> >>>>>>> Client credentials may be delegated to the
>> >>>>>>> service
>> >>>>>> I've tried
>> >>>>>>
>> >>>>>> ipa service-mod --ok-as-delegate=True
>> HTTP/$(hostname)
>> >>>>>>
>> >>>>>> but that does not seem to have the same effect as
>> >>>>>>
>> >>>>>> modprinc +ok_to_auth_as_delegate
>> HTTP/ipa.example.test
>> >>>>>>
>> >>>>>> -- obtaining the delegated certificated fails.
>> >>>>> That's because ok_as_delegate and
>> ok_to_auth_as_delegate are different
>> >>>>> flags.
>> >>>> Right. The following patch adds ok_to_auth_as_delegate
>> to the service
>> >>>> principal.
>> >>>>
>> >>>> I haven't added any tickets to it yet.
>> >>>>
>> >>>>
>> >>> This might deserve also nice Web UI checkbox similar to
>> "Trusted for
>> >>> delegation". CCing Pavel.
>> >>>
>> >> Here is patch with new checkbox. It is without ticket in
>> commit message so
>> >> once we will have the ticket I will send another patch
>> witch updated commit
>> >> message.
>> >
>> > https://fedorahosted.org/freeipa/newticket
>> <https://fedorahosted.org/freeipa/newticket>
>> >
>> > ;-)
>>
>> It's prerequisite for
>> https://fedorahosted.org/freeipa/ticket/5764
>> <https://fedorahosted.org/freeipa/ticket/5764> so we
>> might use that.
>>
>>
> Please, add your answers at the end of the previous mail in the
> future.
>
> Also, your patch raises pep8 errors:
> ./ipaserver/plugins/xmlserver.py:31:80: E501 line too long (189 >
> 79 characters)
> ./ipaserver/rpcserver.py:885:5: E113 unexpected indentation
>
> Could you please fix them?
>
>
> Hi,
>
> thanks for review Stanislav. I understand
> ./ipaserver/rpcserver.py:885:5: E113 unexpected indentation, that is
> my fault but really do not understand first one. Is there policy that
> you decided not to patch existing files, even if there was obviously
> longer line before patch until it is not necessary?
> Anyway I hope it should be ok now.
>
> Thank you.
There's a policy to try to be pep8 compliant as much as we can with any
new patches. Your new patch would still raise some pep8 errors, please
see the attached patch that should be ok. If it's ok with you then ACK,
it seems to be working.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20160817/57e0927c/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-tdudlak-0001-4-Added-new-authentication-method.patch
Type: text/x-patch
Size: 2887 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20160817/57e0927c/attachment.bin>
More information about the Freeipa-devel
mailing list