<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
On 07/30/2013 08:17 AM, Matt . wrote:
<blockquote
cite="mid:CAPNQp079+bRKs9XYW2bYOapmN_srupm9280rkmuHRpL-DK3s=w@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div>
<div>
<div>Hi Dimitri,<br>
<br>
</div>
It's a good tuturial but I'm kinda stuck (and new to that
part) <br>
<br>
What we seem to need is:<br>
<br>
A -> B -> C -> D<br>
A= user(running one) B= Webserver C=IPAserver D= LDAP on
IPAserver<br>
<br>
</div>
I thought we didn't need the C -> D part because this is
what IPA does. We actually need the A -> B -> C part
exectured from a php script to add a user with user_add.<br>
<br>
</div>
More details about that are welcome.<br>
</div>
</div>
</blockquote>
<br>
You use the article but instead of accessing LDAP directly you need
to access ipa web sever because you will be running IPA commands and
not LDAP queries.<br>
So you instead of using <code>ldap/ipa.example.com</code> principal
as outlined in the article you configure aquision of tickets for <code>http/ipa.example.com</code>.<br>
Makes sense?<br>
<br>
<blockquote
cite="mid:CAPNQp079+bRKs9XYW2bYOapmN_srupm9280rkmuHRpL-DK3s=w@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<br>
</div>
<div>Thanks!<br>
</div>
<div><br>
</div>
Cheers,<br>
<br>
Matt<br>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">2013/7/30 Dmitri Pal <span dir="ltr"><<a
moz-do-not-send="true" href="mailto:dpal@redhat.com"
target="_blank">dpal@redhat.com</a>></span><br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="im">On 07/29/2013 03:02 PM, Alexander Bokovoy
wrote:<br>
> Hi!<br>
><br>
> On Mon, 29 Jul 2013, Matt . wrote:<br>
>> Hi Alexander,<br>
>><br>
>> That is great!<br>
>><br>
>> I hope that someone can find this topic and use
it as reference as it<br>
>> tool<br>
>> us some time to find the other one :)<br>
> You can find my blog post here:<br>
> <a moz-do-not-send="true"
href="http://vda.li/en/posts/2013/07/29/Setting-up-S4U2Proxy-with-FreeIPA/index.html"
target="_blank">http://vda.li/en/posts/2013/07/29/Setting-up-S4U2Proxy-with-FreeIPA/index.html</a><br>
><br>
><br>
> Hope it helps. I've tested the scenario on Fedora 19.<br>
<br>
</div>
I added it to the HOWTO section on wiki.<br>
<a moz-do-not-send="true"
href="http://www.freeipa.org/page/Howto/Setting_up_S4U2Proxy_with_FreeIPA"
target="_blank">http://www.freeipa.org/page/Howto/Setting_up_S4U2Proxy_with_FreeIPA</a><br>
<div>
<div class="h5"><br>
><br>
>><br>
>> Thanks!<br>
>><br>
>> Cheers,<br>
>><br>
>> Matt<br>
>><br>
>> 2013/7/29 Alexander Bokovoy <<a
moz-do-not-send="true"
href="mailto:abokovoy@redhat.com">abokovoy@redhat.com</a>><br>
>><br>
>>> Hi Matt,<br>
>>><br>
>>><br>
>>> On Mon, 29 Jul 2013, Matt . wrote:<br>
>>><br>
>>>> Hi all,<br>
>>>><br>
>>>> Refering to this topic:<br>
>>>> <a moz-do-not-send="true"
href="https://www.redhat.com/**archives/freeipa-users/2013-**July/msg00318.html"
target="_blank">https://www.redhat.com/**archives/freeipa-users/2013-**July/msg00318.html</a><<a
moz-do-not-send="true"
href="https://www.redhat.com/archives/freeipa-users/2013-July/msg00318.html"
target="_blank">https://www.redhat.com/archives/freeipa-users/2013-July/msg00318.html</a>><br>
>>>><br>
>>>><br>
>>>> We are no able to do a show_user from a
webserver on an IPA server,<br>
>>>> but<br>
>>>> user_add gives a problem in rights.<br>
>>>><br>
>>>> On the IPA server there is added to the
services:<br>
>>>>
<a class="moz-txt-link-abbreviated" href="mailto:HTTP/test-webserver.dev.**domain.local@DEV.DOMAIN.LOCAL">HTTP/test-webserver.dev.**domain.local@DEV.DOMAIN.LOCAL</a><**<br>
>>>> <a moz-do-not-send="true"
href="https://test-zip.dev.msp." target="_blank">https://test-zip.dev.msp.</a>**cullie.local/ipa/ui/#HTTP/**<br>
>>>>
<a class="moz-txt-link-abbreviated" href="mailto:test-zip-2.dev.msp.cullie.**local@DEV.MSP.CULLIE.LOCAL">test-zip-2.dev.msp.cullie.**local@DEV.MSP.CULLIE.LOCAL</a><<a
moz-do-not-send="true"
href="https://test-zip.dev.msp.cullie.local/ipa/ui/#HTTP/test-zip-2.dev.msp.cullie.local@DEV.MSP.CULLIE.LOCAL"
target="_blank">https://test-zip.dev.msp.cullie.local/ipa/ui/#HTTP/test-zip-2.dev.msp.cullie.local@DEV.MSP.CULLIE.LOCAL</a>><br>
>>>><br>
>>>> ><br>
>>>><br>
>>>><br>
>>>> We installed mod_auth_kerb on the
webserver and the IPA-server and<br>
>>>> created<br>
>>>> a keytab also on both servers.<br>
>>>> <<a moz-do-not-send="true"
href="https://test-zip.dev.msp." target="_blank">https://test-zip.dev.msp.</a>**cullie.local/ipa/ui/#HTTP/**<br>
>>>>
<a class="moz-txt-link-abbreviated" href="mailto:test-zip-2.dev.msp.cullie.**local@DEV.MSP.CULLIE.LOCAL">test-zip-2.dev.msp.cullie.**local@DEV.MSP.CULLIE.LOCAL</a><<a
moz-do-not-send="true"
href="https://test-zip.dev.msp.cullie.local/ipa/ui/#HTTP/test-zip-2.dev.msp.cullie.local@DEV.MSP.CULLIE.LOCAL"
target="_blank">https://test-zip.dev.msp.cullie.local/ipa/ui/#HTTP/test-zip-2.dev.msp.cullie.local@DEV.MSP.CULLIE.LOCAL</a>><br>
>>>><br>
>>>> ><br>
>>>><br>
>>>><br>
>>>> With our script we still get the
following error because the rights<br>
>>>> that<br>
>>>> the user has:<br>
>>>><br>
>>>> ipa: ERROR: Insufficient access:
Insufficient 'add' privilege to the<br>
>>>> 'userPassword' attribute<br>
>>>><br>
>>>> When we add a user "apache" to the IPA
server and give it admin<br>
>>>> rights and<br>
>>>> set it to the "User Administrator" Role
we still don't have the right<br>
>>>> privileges to do so.<br>
>>>><br>
>>>> We need to setup a S4U2Proxy where we
thought of that we did by<br>
>>>> installing<br>
>>>> the mod_auth_kerb on the webserver, but
this seems to be on the IPA<br>
>>>> servers.<br>
>>>><br>
>>>> The same question for the keytab, where
do we use it when we use a<br>
>>>> simple<br>
>>>> webserver form to add a user ? It's the
same as in the topic here<br>
>>>> where<br>
>>>> there is spoken about the "User
privileges":<br>
>>>> <a moz-do-not-send="true"
href="http://comments.gmane.org/**gmane.linux.redhat.freeipa.**user/8244"
target="_blank">http://comments.gmane.org/**gmane.linux.redhat.freeipa.**user/8244</a><<a
moz-do-not-send="true"
href="http://comments.gmane.org/gmane.linux.redhat.freeipa.user/8244"
target="_blank">http://comments.gmane.org/gmane.linux.redhat.freeipa.user/8244</a>><br>
>>>><br>
>>>><br>
>>>> What do we have to do on which server ?
We have put a lot of time<br>
>>>> into the<br>
>>>> user_show part and that works, now
westill need the user_add (and<br>
>>>> so on).<br>
>>>><br>
>>>> Has anyone some sort of sample/howto
for this ?<br>
>>>><br>
>>> As I said on IRC, I'm working on the
article which explains all that.<br>
>>> Stay tuned.<br>
>>><br>
>>><br>
>>> --<br>
>>> / Alexander Bokovoy<br>
>>><br>
><br>
><br>
><br>
<br>
<br>
--<br>
</div>
</div>
Thank you,<br>
Dmitri Pal<br>
<br>
Sr. Engineering Manager for IdM portfolio<br>
Red Hat Inc.<br>
<br>
<br>
-------------------------------<br>
Looking to carve out IT costs?<br>
<a moz-do-not-send="true"
href="http://www.redhat.com/carveoutcosts/"
target="_blank">www.redhat.com/carveoutcosts/</a><br>
<br>
<br>
<br>
_______________________________________________<br>
Freeipa-users mailing list<br>
<a moz-do-not-send="true"
href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><br>
<a moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/freeipa-users"
target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a>
</pre>
</body>
</html>