[Freeipa-devel] [PATCH] 0001 Added new authentication method

Stanislav Laznicka slaznick at redhat.com
Wed Aug 17 14:36:50 UTC 2016 

On 08/17/2016 03:50 PM, Pavel Vomacka wrote:
>
>
>
> On 08/17/2016 02:42 PM, Pavel Vomacka wrote:
>>
>>
>> On 08/11/2016 07:49 PM, Petr Vobornik wrote:
>>> On 08/11/2016 07:21 PM, Martin Basti wrote:
>>>>
>>>> On 11.08.2016 18:57, Pavel Vomacka wrote:
>>>>>
>>>>> On 08/11/2016 02:00 PM, Petr Vobornik wrote:
>>>>>> On 08/11/2016 10:54 AM, Alexander Bokovoy wrote:
>>>>>>> On Thu, 11 Aug 2016, Jan Cholasta wrote:
>>>>>>>> On 4.8.2016 17:27, Jan Pazdziora wrote:
>>>>>>>>> On Wed, Aug 03, 2016 at 10:29:52AM +0300, Alexander Bokovoy 
>>>>>>>>> wrote:
>>>>>>>>>> Got it. One thing I would correct, though, -- don't use
>>>>>>>>>> kadmin.local, we
>>>>>>>>>> do support setting ok_as_delegate on the service principals 
>>>>>>>>>> via IPA
>>>>>>>>>> CLI:
>>>>>>>>>> $ ipa service-mod --help |grep -A1 ok-as-delegate
>>>>>>>>>> --ok-as-delegate=BOOL
>>>>>>>>>>                         Client credentials may be delegated 
>>>>>>>>>> to the
>>>>>>>>>> service
>>>>>>>>> I've tried
>>>>>>>>>
>>>>>>>>>       ipa service-mod --ok-as-delegate=True HTTP/$(hostname)
>>>>>>>>>
>>>>>>>>> but that does not seem to have the same effect as
>>>>>>>>>
>>>>>>>>>       modprinc +ok_to_auth_as_delegate HTTP/ipa.example.test
>>>>>>>>>
>>>>>>>>> -- obtaining the delegated certificated fails.
>>>>>>>> That's because ok_as_delegate and ok_to_auth_as_delegate are 
>>>>>>>> different
>>>>>>>> flags.
>>>>>>> Right. The following patch adds ok_to_auth_as_delegate to the 
>>>>>>> service
>>>>>>> principal.
>>>>>>>
>>>>>>> I haven't added any tickets to it yet.
>>>>>>>
>>>>>>>
>>>>>> This might deserve also nice Web UI checkbox similar to "Trusted for
>>>>>> delegation". CCing Pavel.
>>>>>>
>>>>> Here is patch with new checkbox. It is without ticket in commit 
>>>>> message so
>>>>> once we will have the ticket I will send another patch witch 
>>>>> updated commit
>>>>> message.
>>>> https://fedorahosted.org/freeipa/newticket
>>>>
>>>> ;-)
>>> It's prerequisite for https://fedorahosted.org/freeipa/ticket/5764 
>>> so we
>>> might use that.
>> Thank you, patch with updated commit message attached.
>>
>>
>>
> Attached patch adds checkbox also to host page.
>
Thank you, works as expected. ACK.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20160817/b8e23103/attachment.htm>

More information about the Freeipa-devel mailing list