On 08/11/2016 07:21 PM, Martin Basti wrote: > > > On 11.08.2016 18:57, Pavel Vomacka wrote: >> >> >> On 08/11/2016 02:00 PM, Petr Vobornik wrote: >>> On 08/11/2016 10:54 AM, Alexander Bokovoy wrote: >>>> On Thu, 11 Aug 2016, Jan Cholasta wrote: >>>>> On 4.8.2016 17:27, Jan Pazdziora wrote: >>>>>> On Wed, Aug 03, 2016 at 10:29:52AM +0300, Alexander Bokovoy wrote: >>>>>>> Got it. One thing I would correct, though, -- don't use >>>>>>> kadmin.local, we >>>>>>> do support setting ok_as_delegate on the service principals via IPA >>>>>>> CLI: >>>>>>> $ ipa service-mod --help |grep -A1 ok-as-delegate >>>>>>> --ok-as-delegate=BOOL >>>>>>> Client credentials may be delegated to the >>>>>>> service >>>>>> I've tried >>>>>> >>>>>> ipa service-mod --ok-as-delegate=True HTTP/$(hostname) >>>>>> >>>>>> but that does not seem to have the same effect as >>>>>> >>>>>> modprinc +ok_to_auth_as_delegate HTTP/ipa.example.test >>>>>> >>>>>> -- obtaining the delegated certificated fails. >>>>> That's because ok_as_delegate and ok_to_auth_as_delegate are different >>>>> flags. >>>> Right. The following patch adds ok_to_auth_as_delegate to the service >>>> principal. >>>> >>>> I haven't added any tickets to it yet. >>>> >>>> >>> This might deserve also nice Web UI checkbox similar to "Trusted for >>> delegation". CCing Pavel. >>> >> Here is patch with new checkbox. It is without ticket in commit message so >> once we will have the ticket I will send another patch witch updated commit >> message. > > https://fedorahosted.org/freeipa/newticket > > ;-)
It's prerequisite for https://fedorahosted.org/freeipa/ticket/5764 so we might use that. > >> >> >> > > > -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
