On Thu, 11 Aug 2016, Petr Vobornik wrote:
On 08/11/2016 07:21 PM, Martin Basti wrote:



On 11.08.2016 18:57, Pavel Vomacka wrote:


On 08/11/2016 02:00 PM, Petr Vobornik wrote:
On 08/11/2016 10:54 AM, Alexander Bokovoy wrote:
On Thu, 11 Aug 2016, Jan Cholasta wrote:
On 4.8.2016 17:27, Jan Pazdziora wrote:
On Wed, Aug 03, 2016 at 10:29:52AM +0300, Alexander Bokovoy wrote:
Got it. One thing I would correct, though, -- don't use
kadmin.local, we
do support setting ok_as_delegate on the service principals via IPA
CLI:
$ ipa service-mod --help |grep -A1 ok-as-delegate
--ok-as-delegate=BOOL
                       Client credentials may be delegated to the
service
I've tried

     ipa service-mod --ok-as-delegate=True HTTP/$(hostname)

but that does not seem to have the same effect as

     modprinc +ok_to_auth_as_delegate HTTP/ipa.example.test

-- obtaining the delegated certificated fails.
That's because ok_as_delegate and ok_to_auth_as_delegate are different
flags.
Right. The following patch adds ok_to_auth_as_delegate to the service
principal.

I haven't added any tickets to it yet.


This might deserve also nice Web UI checkbox similar to "Trusted for
delegation". CCing Pavel.

Here is patch with new checkbox. It is without ticket in commit message so
once we will have the ticket I will send another patch witch updated commit
message.

https://fedorahosted.org/freeipa/newticket

;-)

It's prerequisite for https://fedorahosted.org/freeipa/ticket/5764 so we
might use that.
Sounds good. Patch with updated commit message is attached.

--
/ Alexander Bokovoy
From e2cebaa4e4b30b588d484e111cb11779cb863c0f Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <aboko...@redhat.com>
Date: Thu, 11 Aug 2016 11:52:05 +0300
Subject: [PATCH 06/10] service: add flag to allow S4U2Self

Prerequisite for: https://fedorahosted.org/freeipa/ticket/5764
---
 API.txt                      | 12 ++++++++----
 VERSION                      |  4 ++--
 ipaserver/plugins/service.py |  7 +++++++
 3 files changed, 17 insertions(+), 6 deletions(-)

diff --git a/API.txt b/API.txt
index 535d8ec..5b83bfb 100644
--- a/API.txt
+++ b/API.txt
@@ -2260,7 +2260,7 @@ output: Output('summary', type=[<type 'unicode'>, <type 
'NoneType'>])
 output: Output('value', type=[<type 'bool'>])
 output: Output('warning', type=[<type 'list'>, <type 'tuple'>, <type 
'NoneType'>])
 command: host_add/1
-args: 1,24,3
+args: 1,25,3
 arg: Str('fqdn', cli_name='hostname')
 option: Str('addattr*', cli_name='addattr')
 option: Flag('all', autofill=True, cli_name='all', default=False)
@@ -2269,6 +2269,7 @@ option: Flag('force', autofill=True, default=False)
 option: Str('ip_address?')
 option: Str('ipaassignedidview?')
 option: Bool('ipakrbokasdelegate?', cli_name='ok_as_delegate')
+option: Bool('ipakrboktoauthasdelegate?', cli_name='ok_to_auth_as_delegate')
 option: Bool('ipakrbrequirespreauth?', cli_name='requires_pre_auth')
 option: Str('ipasshpubkey*', cli_name='sshpubkey')
 option: Str('krbprincipalauthind*', cli_name='auth_ind')
@@ -2437,7 +2438,7 @@ output: ListOfEntries('result')
 output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
 output: Output('truncated', type=[<type 'bool'>])
 command: host_mod/1
-args: 1,25,3
+args: 1,26,3
 arg: Str('fqdn', cli_name='hostname')
 option: Str('addattr*', cli_name='addattr')
 option: Flag('all', autofill=True, cli_name='all', default=False)
@@ -2445,6 +2446,7 @@ option: Str('delattr*', cli_name='delattr')
 option: Str('description?', autofill=False, cli_name='desc')
 option: Str('ipaassignedidview?', autofill=False)
 option: Bool('ipakrbokasdelegate?', autofill=False, cli_name='ok_as_delegate')
+option: Bool('ipakrboktoauthasdelegate?', autofill=False, 
cli_name='ok_to_auth_as_delegate')
 option: Bool('ipakrbrequirespreauth?', autofill=False, 
cli_name='requires_pre_auth')
 option: Str('ipasshpubkey*', autofill=False, cli_name='sshpubkey')
 option: Str('krbprincipalauthind*', autofill=False, cli_name='auth_ind')
@@ -4293,13 +4295,14 @@ output: Entry('result')
 output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
 output: PrimaryKey('value')
 command: service_add/1
-args: 1,12,3
+args: 1,13,3
 arg: Principal('krbcanonicalname', cli_name='canonical_principal')
 option: Str('addattr*', cli_name='addattr')
 option: Flag('all', autofill=True, cli_name='all', default=False)
 option: Flag('force', autofill=True, default=False)
 option: StrEnum('ipakrbauthzdata*', cli_name='pac_type', values=[u'MS-PAC', 
u'PAD', u'NONE'])
 option: Bool('ipakrbokasdelegate?', cli_name='ok_as_delegate')
+option: Bool('ipakrboktoauthasdelegate?', cli_name='ok_to_auth_as_delegate')
 option: Bool('ipakrbrequirespreauth?', cli_name='requires_pre_auth')
 option: Str('krbprincipalauthind*', cli_name='auth_ind')
 option: Flag('no_members', autofill=True, default=False)
@@ -4435,13 +4438,14 @@ output: ListOfEntries('result')
 output: Output('summary', type=[<type 'unicode'>, <type 'NoneType'>])
 output: Output('truncated', type=[<type 'bool'>])
 command: service_mod/1
-args: 1,14,3
+args: 1,15,3
 arg: Principal('krbcanonicalname', cli_name='canonical_principal')
 option: Str('addattr*', cli_name='addattr')
 option: Flag('all', autofill=True, cli_name='all', default=False)
 option: Str('delattr*', cli_name='delattr')
 option: StrEnum('ipakrbauthzdata*', autofill=False, cli_name='pac_type', 
values=[u'MS-PAC', u'PAD', u'NONE'])
 option: Bool('ipakrbokasdelegate?', autofill=False, cli_name='ok_as_delegate')
+option: Bool('ipakrboktoauthasdelegate?', autofill=False, 
cli_name='ok_to_auth_as_delegate')
 option: Bool('ipakrbrequirespreauth?', autofill=False, 
cli_name='requires_pre_auth')
 option: Str('krbprincipalauthind*', autofill=False, cli_name='auth_ind')
 option: Principal('krbprincipalname*', autofill=False, cli_name='principal')
diff --git a/VERSION b/VERSION
index ca48996..a8b89ed 100644
--- a/VERSION
+++ b/VERSION
@@ -90,5 +90,5 @@ IPA_DATA_VERSION=20100614120000
 #                                                      #
 ########################################################
 IPA_API_VERSION_MAJOR=2
-IPA_API_VERSION_MINOR=211
-# Last change: mbabinsk: allow 'value' output param in commands without 
primary key
+IPA_API_VERSION_MINOR=212
+# Last change: ab: service: add flag to allow S4U2Self
diff --git a/ipaserver/plugins/service.py b/ipaserver/plugins/service.py
index a44dcaa..04d1916 100644
--- a/ipaserver/plugins/service.py
+++ b/ipaserver/plugins/service.py
@@ -171,11 +171,18 @@ ticket_flags_params = (
         doc=_('Client credentials may be delegated to the service'),
         flags=['virtual_attribute', 'no_search'],
     ),
+    Bool('ipakrboktoauthasdelegate?',
+        cli_name='ok_to_auth_as_delegate',
+        label=_('Trusted to authenticate as user'),
+        doc=_('The service is allowed to authenticate on behalf of a client'),
+        flags=['virtual_attribute', 'no_search'],
+    ),
 )
 
 _ticket_flags_map = {
     'ipakrbrequirespreauth': 0x00000080,
     'ipakrbokasdelegate': 0x00100000,
+    'ipakrboktoauthasdelegate': 0x00200000,
 }
 
 _ticket_flags_default = _ticket_flags_map['ipakrbrequirespreauth']
-- 
2.7.4

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to