<div dir="ltr"><div><div><div><div>Hi Dimitri, </div>It's a good tuturial but I'm kinda stuck (and new to that part) What we seem to need is: A -> B -> C -> D A= user(running one) B= Webserver C=IPAserver D= LDAP on IPAserver </div>I thought we didn't need the C -> D part because this is what IPA does. We actually need the A -> B -> C part exectured from a php script to add a user with user_add. </div>More details about that are welcome. </div><div>Thanks! </div><div> </div>Cheers, Matt </div><div class="gmail_extra"> <div class="gmail_quote">2013/7/30 Dmitri Pal <<a href="mailto:dpal@redhat.com" target="_blank">dpal@redhat.com</a>> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="im">On 07/29/2013 03:02 PM, Alexander Bokovoy wrote: > Hi! > > On Mon, 29 Jul 2013, Matt . wrote: >> Hi Alexander, >> >> That is great! >> >> I hope that someone can find this topic and use it as reference as it >> tool >> us some time to find the other one :) > You can find my blog post here: > <a href="http://vda.li/en/posts/2013/07/29/Setting-up-S4U2Proxy-with-FreeIPA/index.html" target="_blank">http://vda.li/en/posts/2013/07/29/Setting-up-S4U2Proxy-with-FreeIPA/index.html</a> > > > Hope it helps. I've tested the scenario on Fedora 19. </div>I added it to the HOWTO section on wiki. <a href="http://www.freeipa.org/page/Howto/Setting_up_S4U2Proxy_with_FreeIPA" target="_blank">http://www.freeipa.org/page/Howto/Setting_up_S4U2Proxy_with_FreeIPA</a> <div><div class="h5"> > >> >> Thanks! >> >> Cheers, >> >> Matt >> >> 2013/7/29 Alexander Bokovoy <<a href="mailto:abokovoy@redhat.com">abokovoy@redhat.com</a>> >> >>> Hi Matt, >>> >>> >>> On Mon, 29 Jul 2013, Matt . wrote: >>> >>>> Hi all, >>>> >>>> Refering to this topic: >>>> <a href="https://www.redhat.com/**archives/freeipa-users/2013-**July/msg00318.html" target="_blank">https://www.redhat.com/**archives/freeipa-users/2013-**July/msg00318.html</a><<a href="https://www.redhat.com/archives/freeipa-users/2013-July/msg00318.html" target="_blank">https://www.redhat.com/archives/freeipa-users/2013-July/msg00318.html</a>> >>>> >>>> >>>> We are no able to do a show_user from a webserver on an IPA server, >>>> but >>>> user_add gives a problem in rights. >>>> >>>> On the IPA server there is added to the services: >>>> HTTP/test-webserver.dev.**domain.local@DEV.DOMAIN.LOCAL<** >>>> <a href="https://test-zip.dev.msp." target="_blank">https://test-zip.dev.msp.</a>**cullie.local/ipa/ui/#HTTP/** >>>> test-zip-2.dev.msp.cullie.**local@DEV.MSP.CULLIE.LOCAL<<a href="https://test-zip.dev.msp.cullie.local/ipa/ui/#HTTP/test-zip-2.dev.msp.cullie.local@DEV.MSP.CULLIE.LOCAL" target="_blank">https://test-zip.dev.msp.cullie.local/ipa/ui/#HTTP/test-zip-2.dev.msp.cullie.local@DEV.MSP.CULLIE.LOCAL</a>> >>>> >>>> > >>>> >>>> >>>> We installed mod_auth_kerb on the webserver and the IPA-server and >>>> created >>>> a keytab also on both servers. >>>> <<a href="https://test-zip.dev.msp." target="_blank">https://test-zip.dev.msp.</a>**cullie.local/ipa/ui/#HTTP/** >>>> test-zip-2.dev.msp.cullie.**local@DEV.MSP.CULLIE.LOCAL<<a href="https://test-zip.dev.msp.cullie.local/ipa/ui/#HTTP/test-zip-2.dev.msp.cullie.local@DEV.MSP.CULLIE.LOCAL" target="_blank">https://test-zip.dev.msp.cullie.local/ipa/ui/#HTTP/test-zip-2.dev.msp.cullie.local@DEV.MSP.CULLIE.LOCAL</a>> >>>> >>>> > >>>> >>>> >>>> With our script we still get the following error because the rights >>>> that >>>> the user has: >>>> >>>> ipa: ERROR: Insufficient access: Insufficient 'add' privilege to the >>>> 'userPassword' attribute >>>> >>>> When we add a user "apache" to the IPA server and give it admin >>>> rights and >>>> set it to the "User Administrator" Role we still don't have the right >>>> privileges to do so. >>>> >>>> We need to setup a S4U2Proxy where we thought of that we did by >>>> installing >>>> the mod_auth_kerb on the webserver, but this seems to be on the IPA >>>> servers. >>>> >>>> The same question for the keytab, where do we use it when we use a >>>> simple >>>> webserver form to add a user ? It's the same as in the topic here >>>> where >>>> there is spoken about the "User privileges": >>>> <a href="http://comments.gmane.org/**gmane.linux.redhat.freeipa.**user/8244" target="_blank">http://comments.gmane.org/**gmane.linux.redhat.freeipa.**user/8244</a><<a href="http://comments.gmane.org/gmane.linux.redhat.freeipa.user/8244" target="_blank">http://comments.gmane.org/gmane.linux.redhat.freeipa.user/8244</a>> >>>> >>>> >>>> What do we have to do on which server ? We have put a lot of time >>>> into the >>>> user_show part and that works, now westill need the user_add (and >>>> so on). >>>> >>>> Has anyone some sort of sample/howto for this ? >>>> >>> As I said on IRC, I'm working on the article which explains all that. >>> Stay tuned. >>> >>> >>> -- >>> / Alexander Bokovoy >>> > > > -- </div></div>Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? <a href="http://www.redhat.com/carveoutcosts/" target="_blank">www.redhat.com/carveoutcosts/</a> _______________________________________________ Freeipa-users mailing list <a href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a> </blockquote></div> </div>