On Tue, 30 Jul 2013, Matt . wrote:
Hi Alexander,

This doc is really great.

I have added the delegation target but we still get an err=50 on when
running our "add_user" script on the webserver.

On the IPA server we see a keytab file configured in the php.ini and on the
webserver we don't. Configs are quite the same here actually.

Something simple must be wrong I guess.
As I said on IRC, please first make sure you have working environment
with a simple shell script like in the article. This is to ensure the
basic flow is working correctly -- delegation records are in place and
FreeIPA is indeed allowing HTTP/web.server principal to impersonate the

Next, you need to look into your use of LDAP bindings for PHP and make
sure you are authenticating with SASL GSSAPI method. The last comment at
http://php.net/manual/en/function.ldap-sasl-bind.php describes how this
can (and should) be done, using both SASL GSSAPI and TLS encryption.

There are four parts involved here:
1. IPA master should have delegation targets.
2. Web server should be set up as described.
3. Your web script should use SASL GSSAPI (or you should know what your are 
4. Your client should negotiate Kerberos to the server when talking.

When all four are in place, it should work with whatever language you
have used to write your web application.
/ Alexander Bokovoy

Freeipa-users mailing list

Reply via email to