On 08/11/2016 10:54 AM, Alexander Bokovoy wrote:
> On Thu, 11 Aug 2016, Jan Cholasta wrote:
>> On 4.8.2016 17:27, Jan Pazdziora wrote:
>>> On Wed, Aug 03, 2016 at 10:29:52AM +0300, Alexander Bokovoy wrote:
>>>> Got it. One thing I would correct, though, -- don't use
>>>> kadmin.local, we
>>>> do support setting ok_as_delegate on the service principals via IPA
>>>> $ ipa service-mod --help |grep -A1 ok-as-delegate
>>>> Client credentials may be delegated to the
>>> I've tried
>>> ipa service-mod --ok-as-delegate=True HTTP/$(hostname)
>>> but that does not seem to have the same effect as
>>> modprinc +ok_to_auth_as_delegate HTTP/ipa.example.test
>>> -- obtaining the delegated certificated fails.
>> That's because ok_as_delegate and ok_to_auth_as_delegate are different
> Right. The following patch adds ok_to_auth_as_delegate to the service
> I haven't added any tickets to it yet.
This might deserve also nice Web UI checkbox similar to "Trusted for
delegation". CCing Pavel.
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code