On Thu, 2012-02-23 at 17:32 -0500, Rob Crittenden wrote:
> The call to create_connection in the backend was outside a try/except so 
> we would miss public ACI errors. This will catch them.
> 
> To test this you can delete the S4U2Proxy delegation:
> 
> $ ldapmodify -x -D 'cn=directory manager' -W
> LDAP Password:
> dn: cn=ipa-ldap-delegation-targets,cn=s4u2proxy,cn=etc,$SUFFIX
> changetype: modify
> delete: memberPrincipal
> 
> $ kinit admin
> $ user-show admin
> ipa: ERROR: Insufficient access: KDC returned NOT_ALLOWED_TO_DELEGATE
> 
> To fix your instance run:
> 
> # ipa-ldap-updater --ldapi /usr/share/ipa/updates/30-s4u2proxy.update
> 
> rob

ACK. Works ok. Pushed to master, ipa-2-2.

Martin

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to