On 08/11/2016 10:54 AM, Alexander Bokovoy wrote: > On Thu, 11 Aug 2016, Jan Cholasta wrote: >> On 4.8.2016 17:27, Jan Pazdziora wrote: >>> On Wed, Aug 03, 2016 at 10:29:52AM +0300, Alexander Bokovoy wrote: >>>> >>>> Got it. One thing I would correct, though, -- don't use >>>> kadmin.local, we >>>> do support setting ok_as_delegate on the service principals via IPA >>>> CLI: >>>> $ ipa service-mod --help |grep -A1 ok-as-delegate >>>> --ok-as-delegate=BOOL >>>> Client credentials may be delegated to the >>>> service >>> >>> I've tried >>> >>> ipa service-mod --ok-as-delegate=True HTTP/$(hostname) >>> >>> but that does not seem to have the same effect as >>> >>> modprinc +ok_to_auth_as_delegate HTTP/ipa.example.test >>> >>> -- obtaining the delegated certificated fails. >> >> That's because ok_as_delegate and ok_to_auth_as_delegate are different >> flags. > Right. The following patch adds ok_to_auth_as_delegate to the service > principal. > > I haven't added any tickets to it yet. > >
This might deserve also nice Web UI checkbox similar to "Trusted for delegation". CCing Pavel. -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
