[Freeipa-devel] [PATCH] 0001 Added new authentication method
Stanislav Laznicka
slaznick at redhat.com
Wed Aug 17 14:35:53 UTC 2016
On 08/17/2016 03:58 PM, Alexander Bokovoy wrote:
> On Thu, 11 Aug 2016, Petr Vobornik wrote:
>> On 08/11/2016 07:21 PM, Martin Basti wrote:
>>>
>>>
>>> On 11.08.2016 18:57, Pavel Vomacka wrote:
>>>>
>>>>
>>>> On 08/11/2016 02:00 PM, Petr Vobornik wrote:
>>>>> On 08/11/2016 10:54 AM, Alexander Bokovoy wrote:
>>>>>> On Thu, 11 Aug 2016, Jan Cholasta wrote:
>>>>>>> On 4.8.2016 17:27, Jan Pazdziora wrote:
>>>>>>>> On Wed, Aug 03, 2016 at 10:29:52AM +0300, Alexander Bokovoy wrote:
>>>>>>>>> Got it. One thing I would correct, though, -- don't use
>>>>>>>>> kadmin.local, we
>>>>>>>>> do support setting ok_as_delegate on the service principals
>>>>>>>>> via IPA
>>>>>>>>> CLI:
>>>>>>>>> $ ipa service-mod --help |grep -A1 ok-as-delegate
>>>>>>>>> --ok-as-delegate=BOOL
>>>>>>>>> Client credentials may be delegated to the
>>>>>>>>> service
>>>>>>>> I've tried
>>>>>>>>
>>>>>>>> ipa service-mod --ok-as-delegate=True HTTP/$(hostname)
>>>>>>>>
>>>>>>>> but that does not seem to have the same effect as
>>>>>>>>
>>>>>>>> modprinc +ok_to_auth_as_delegate HTTP/ipa.example.test
>>>>>>>>
>>>>>>>> -- obtaining the delegated certificated fails.
>>>>>>> That's because ok_as_delegate and ok_to_auth_as_delegate are
>>>>>>> different
>>>>>>> flags.
>>>>>> Right. The following patch adds ok_to_auth_as_delegate to the
>>>>>> service
>>>>>> principal.
>>>>>>
>>>>>> I haven't added any tickets to it yet.
>>>>>>
>>>>>>
>>>>> This might deserve also nice Web UI checkbox similar to "Trusted for
>>>>> delegation". CCing Pavel.
>>>>>
>>>> Here is patch with new checkbox. It is without ticket in commit
>>>> message so
>>>> once we will have the ticket I will send another patch witch
>>>> updated commit
>>>> message.
>>>
>>> https://fedorahosted.org/freeipa/newticket
>>>
>>> ;-)
>>
>> It's prerequisite for https://fedorahosted.org/freeipa/ticket/5764 so we
>> might use that.
> Sounds good. Patch with updated commit message is attached.
>
>
Thank you for the updated patch, works as expected so ACK.
More information about the Freeipa-devel
mailing list