On 08/11/2016 07:21 PM, Martin Basti wrote:
> 
> 
> On 11.08.2016 18:57, Pavel Vomacka wrote:
>>
>>
>> On 08/11/2016 02:00 PM, Petr Vobornik wrote:
>>> On 08/11/2016 10:54 AM, Alexander Bokovoy wrote:
>>>> On Thu, 11 Aug 2016, Jan Cholasta wrote:
>>>>> On 4.8.2016 17:27, Jan Pazdziora wrote:
>>>>>> On Wed, Aug 03, 2016 at 10:29:52AM +0300, Alexander Bokovoy wrote:
>>>>>>> Got it. One thing I would correct, though, -- don't use
>>>>>>> kadmin.local, we
>>>>>>> do support setting ok_as_delegate on the service principals via IPA
>>>>>>> CLI:
>>>>>>> $ ipa service-mod --help |grep -A1 ok-as-delegate
>>>>>>> --ok-as-delegate=BOOL
>>>>>>>                        Client credentials may be delegated to the
>>>>>>> service
>>>>>> I've tried
>>>>>>
>>>>>>      ipa service-mod --ok-as-delegate=True HTTP/$(hostname)
>>>>>>
>>>>>> but that does not seem to have the same effect as
>>>>>>
>>>>>>      modprinc +ok_to_auth_as_delegate HTTP/ipa.example.test
>>>>>>
>>>>>> -- obtaining the delegated certificated fails.
>>>>> That's because ok_as_delegate and ok_to_auth_as_delegate are different
>>>>> flags.
>>>> Right. The following patch adds ok_to_auth_as_delegate to the service
>>>> principal.
>>>>
>>>> I haven't added any tickets to it yet.
>>>>
>>>>
>>> This might deserve also nice Web UI checkbox similar to "Trusted for
>>> delegation". CCing Pavel.
>>>
>> Here is patch with new checkbox. It is without ticket in commit message so 
>> once we will have the ticket I will send another patch witch updated commit 
>> message.
> 
> https://fedorahosted.org/freeipa/newticket
> 
> ;-)

It's prerequisite for https://fedorahosted.org/freeipa/ticket/5764 so we
might use that.
> 
>>
>>
>>
> 
> 
> 


-- 
Petr Vobornik

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to