On 08/11/2016 10:54 AM, Alexander Bokovoy wrote:
> On Thu, 11 Aug 2016, Jan Cholasta wrote:
>> On 4.8.2016 17:27, Jan Pazdziora wrote:
>>> On Wed, Aug 03, 2016 at 10:29:52AM +0300, Alexander Bokovoy wrote:
>>>>
>>>> Got it. One thing I would correct, though, -- don't use
>>>> kadmin.local, we
>>>> do support setting ok_as_delegate on the service principals via IPA
>>>> CLI:
>>>> $ ipa service-mod --help |grep -A1 ok-as-delegate
>>>> --ok-as-delegate=BOOL
>>>>                       Client credentials may be delegated to the
>>>> service
>>>
>>> I've tried
>>>
>>>     ipa service-mod --ok-as-delegate=True HTTP/$(hostname)
>>>
>>> but that does not seem to have the same effect as
>>>
>>>     modprinc +ok_to_auth_as_delegate HTTP/ipa.example.test
>>>
>>> -- obtaining the delegated certificated fails.
>>
>> That's because ok_as_delegate and ok_to_auth_as_delegate are different
>> flags.
> Right. The following patch adds ok_to_auth_as_delegate to the service
> principal.
> 
> I haven't added any tickets to it yet.
> 
> 

This might deserve also nice Web UI checkbox similar to "Trusted for
delegation". CCing Pavel.

-- 
Petr Vobornik

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to