Hi Matt,

On Mon, 29 Jul 2013, Matt . wrote:
Hi all,

Refering to this topic:
https://www.redhat.com/archives/freeipa-users/2013-July/msg00318.html

We are no able to do a show_user from a webserver on an IPA server, but
user_add gives a problem in rights.

On the IPA server there is added to the services:
HTTP/test-webserver.dev.domain.local@DEV.DOMAIN.LOCAL<https://test-zip.dev.msp.cullie.local/ipa/ui/#HTTP/test-zip-2.dev.msp.cullie.lo...@dev.msp.CULLIE.LOCAL>

We installed mod_auth_kerb on the webserver and the IPA-server and created
a keytab also on both servers.
<https://test-zip.dev.msp.cullie.local/ipa/ui/#HTTP/test-zip-2.dev.msp.cullie.lo...@dev.msp.CULLIE.LOCAL>

With our script we still get the following error because the rights that
the user has:

ipa: ERROR: Insufficient access: Insufficient 'add' privilege to the
'userPassword' attribute

When we add a user "apache" to the IPA server and give it admin rights and
set it to the "User Administrator" Role we still don't have the right
privileges to do so.

We need to setup a S4U2Proxy where we thought of that we did by installing
the mod_auth_kerb on the webserver, but this seems to be on the IPA servers.

The same question for the keytab, where do we use it when we use a simple
webserver form to add a user ? It's the same as in the topic here where
there is spoken about the "User privileges":
http://comments.gmane.org/gmane.linux.redhat.freeipa.user/8244

What do we have to do on which server ? We have put a lot of time into the
user_show part and that works, now westill  need the user_add (and so on).

Has anyone some sort of sample/howto for this ?
As I said on IRC, I'm working on the article which explains all that.
Stay tuned.


--
/ Alexander Bokovoy

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to