On 08/16/2016 03:16 PM, Tibor Dudlak wrote:
Hi,

I have edited this patch after review. It should be okay now.

Thank you.

On Thu, Aug 11, 2016 at 7:49 PM, Petr Vobornik <pvobo...@redhat.com <mailto:pvobo...@redhat.com>> wrote:

    On 08/11/2016 07:21 PM, Martin Basti wrote:
    >
    >
    > On 11.08.2016 18:57, Pavel Vomacka wrote:
    >>
    >>
    >> On 08/11/2016 02:00 PM, Petr Vobornik wrote:
    >>> On 08/11/2016 10:54 AM, Alexander Bokovoy wrote:
    >>>> On Thu, 11 Aug 2016, Jan Cholasta wrote:
    >>>>> On 4.8.2016 17:27, Jan Pazdziora wrote:
    >>>>>> On Wed, Aug 03, 2016 at 10:29:52AM +0300, Alexander Bokovoy
    wrote:
    >>>>>>> Got it. One thing I would correct, though, -- don't use
    >>>>>>> kadmin.local, we
    >>>>>>> do support setting ok_as_delegate on the service
    principals via IPA
    >>>>>>> CLI:
    >>>>>>> $ ipa service-mod --help |grep -A1 ok-as-delegate
    >>>>>>> --ok-as-delegate=BOOL
    >>>>>>> Client credentials may be delegated to the
    >>>>>>> service
    >>>>>> I've tried
    >>>>>>
    >>>>>>      ipa service-mod --ok-as-delegate=True HTTP/$(hostname)
    >>>>>>
    >>>>>> but that does not seem to have the same effect as
    >>>>>>
    >>>>>>      modprinc +ok_to_auth_as_delegate HTTP/ipa.example.test
    >>>>>>
    >>>>>> -- obtaining the delegated certificated fails.
    >>>>> That's because ok_as_delegate and ok_to_auth_as_delegate are
    different
    >>>>> flags.
    >>>> Right. The following patch adds ok_to_auth_as_delegate to the
    service
    >>>> principal.
    >>>>
    >>>> I haven't added any tickets to it yet.
    >>>>
    >>>>
    >>> This might deserve also nice Web UI checkbox similar to
    "Trusted for
    >>> delegation". CCing Pavel.
    >>>
    >> Here is patch with new checkbox. It is without ticket in commit
    message so
    >> once we will have the ticket I will send another patch witch
    updated commit
    >> message.
    >
    > https://fedorahosted.org/freeipa/newticket
    <https://fedorahosted.org/freeipa/newticket>
    >
    > ;-)

    It's prerequisite for https://fedorahosted.org/freeipa/ticket/5764
    <https://fedorahosted.org/freeipa/ticket/5764> so we
    might use that.


Please, add your answers at the end of the previous mail in the future.

Also, your patch raises pep8 errors:
./ipaserver/plugins/xmlserver.py:31:80: E501 line too long (189 > 79 characters)
./ipaserver/rpcserver.py:885:5: E113 unexpected indentation

Could you please fix them?
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to