[Freeipa-devel] [PATCH] 0001 Added new authentication method

Jan Cholasta jcholast at redhat.com
Wed Aug 17 14:42:35 UTC 2016 

On 17.8.2016 16:36, Stanislav Laznicka wrote:
> On 08/17/2016 03:50 PM, Pavel Vomacka wrote:
>>
>>
>>
>> On 08/17/2016 02:42 PM, Pavel Vomacka wrote:
>>>
>>>
>>> On 08/11/2016 07:49 PM, Petr Vobornik wrote:
>>>> On 08/11/2016 07:21 PM, Martin Basti wrote:
>>>>>
>>>>> On 11.08.2016 18:57, Pavel Vomacka wrote:
>>>>>>
>>>>>> On 08/11/2016 02:00 PM, Petr Vobornik wrote:
>>>>>>> On 08/11/2016 10:54 AM, Alexander Bokovoy wrote:
>>>>>>>> On Thu, 11 Aug 2016, Jan Cholasta wrote:
>>>>>>>>> On 4.8.2016 17:27, Jan Pazdziora wrote:
>>>>>>>>>> On Wed, Aug 03, 2016 at 10:29:52AM +0300, Alexander Bokovoy
>>>>>>>>>> wrote:
>>>>>>>>>>> Got it. One thing I would correct, though, -- don't use
>>>>>>>>>>> kadmin.local, we
>>>>>>>>>>> do support setting ok_as_delegate on the service principals
>>>>>>>>>>> via IPA
>>>>>>>>>>> CLI:
>>>>>>>>>>> $ ipa service-mod --help |grep -A1 ok-as-delegate
>>>>>>>>>>> --ok-as-delegate=BOOL
>>>>>>>>>>>                         Client credentials may be delegated
>>>>>>>>>>> to the
>>>>>>>>>>> service
>>>>>>>>>> I've tried
>>>>>>>>>>
>>>>>>>>>>       ipa service-mod --ok-as-delegate=True HTTP/$(hostname)
>>>>>>>>>>
>>>>>>>>>> but that does not seem to have the same effect as
>>>>>>>>>>
>>>>>>>>>>       modprinc +ok_to_auth_as_delegate HTTP/ipa.example.test
>>>>>>>>>>
>>>>>>>>>> -- obtaining the delegated certificated fails.
>>>>>>>>> That's because ok_as_delegate and ok_to_auth_as_delegate are
>>>>>>>>> different
>>>>>>>>> flags.
>>>>>>>> Right. The following patch adds ok_to_auth_as_delegate to the
>>>>>>>> service
>>>>>>>> principal.
>>>>>>>>
>>>>>>>> I haven't added any tickets to it yet.
>>>>>>>>
>>>>>>>>
>>>>>>> This might deserve also nice Web UI checkbox similar to "Trusted for
>>>>>>> delegation". CCing Pavel.
>>>>>>>
>>>>>> Here is patch with new checkbox. It is without ticket in commit
>>>>>> message so
>>>>>> once we will have the ticket I will send another patch witch
>>>>>> updated commit
>>>>>> message.
>>>>> https://fedorahosted.org/freeipa/newticket
>>>>>
>>>>> ;-)
>>>> It's prerequisite for https://fedorahosted.org/freeipa/ticket/5764
>>>> so we
>>>> might use that.
>>> Thank you, patch with updated commit message attached.
>>>
>>>
>>>
>> Attached patch adds checkbox also to host page.
>>
> Thank you, works as expected. ACK.

Pushed to master: c36d721a01106e24186bd6b2f0fc74d7af31d5ba

-- 
Jan Cholasta

More information about the Freeipa-devel mailing list