Hi Dimitri,

It's a good tuturial but I'm kinda stuck (and new to that part)

What we seem to need is:

A -> B -> C -> D
A= user(running one) B= Webserver C=IPAserver D= LDAP on IPAserver

I thought we didn't need the C -> D part because this is what IPA does. We
actually need the A -> B -> C part exectured from a php script to add a
user with user_add.

More details about that are welcome.

Thanks!

Cheers,

Matt


2013/7/30 Dmitri Pal <d...@redhat.com>

> On 07/29/2013 03:02 PM, Alexander Bokovoy wrote:
> > Hi!
> >
> > On Mon, 29 Jul 2013, Matt . wrote:
> >> Hi Alexander,
> >>
> >> That is great!
> >>
> >> I hope that someone can find this topic and use it as reference as it
> >> tool
> >> us some time to find the other one :)
> > You can find my blog post here:
> >
> http://vda.li/en/posts/2013/07/29/Setting-up-S4U2Proxy-with-FreeIPA/index.html
> >
> >
> > Hope it helps. I've tested the scenario on Fedora 19.
>
> I added it to the HOWTO section on wiki.
> http://www.freeipa.org/page/Howto/Setting_up_S4U2Proxy_with_FreeIPA
>
> >
> >>
> >> Thanks!
> >>
> >> Cheers,
> >>
> >> Matt
> >>
> >> 2013/7/29 Alexander Bokovoy <aboko...@redhat.com>
> >>
> >>> Hi Matt,
> >>>
> >>>
> >>> On Mon, 29 Jul 2013, Matt . wrote:
> >>>
> >>>> Hi all,
> >>>>
> >>>> Refering to this topic:
> >>>>
> https://www.redhat.com/**archives/freeipa-users/2013-**July/msg00318.html<
> https://www.redhat.com/archives/freeipa-users/2013-July/msg00318.html>
> >>>>
> >>>>
> >>>> We are no able to do a show_user from a webserver on an IPA server,
> >>>> but
> >>>> user_add gives a problem in rights.
> >>>>
> >>>> On the IPA server there is added to the services:
> >>>> HTTP/test-webserver.dev.**domain.local@DEV.DOMAIN.LOCAL<**
> >>>> https://test-zip.dev.msp.**cullie.local/ipa/ui/#HTTP/**
> >>>> test-zip-2.dev.msp.cullie.**lo...@dev.msp.CULLIE.LOCAL<
> https://test-zip.dev.msp.cullie.local/ipa/ui/#HTTP/test-zip-2.dev.msp.cullie.lo...@dev.msp.CULLIE.LOCAL
> >
> >>>>
> >>>> >
> >>>>
> >>>>
> >>>> We installed mod_auth_kerb on the webserver and the IPA-server and
> >>>> created
> >>>> a keytab also on both servers.
> >>>> <https://test-zip.dev.msp.**cullie.local/ipa/ui/#HTTP/**
> >>>> test-zip-2.dev.msp.cullie.**lo...@dev.msp.CULLIE.LOCAL<
> https://test-zip.dev.msp.cullie.local/ipa/ui/#HTTP/test-zip-2.dev.msp.cullie.lo...@dev.msp.CULLIE.LOCAL
> >
> >>>>
> >>>> >
> >>>>
> >>>>
> >>>> With our script we still get the following error because the rights
> >>>> that
> >>>> the user has:
> >>>>
> >>>> ipa: ERROR: Insufficient access: Insufficient 'add' privilege to the
> >>>> 'userPassword' attribute
> >>>>
> >>>> When we add a user "apache" to the IPA server and give it admin
> >>>> rights and
> >>>> set it to the "User Administrator" Role we still don't have the right
> >>>> privileges to do so.
> >>>>
> >>>> We need to setup a S4U2Proxy where we thought of that we did by
> >>>> installing
> >>>> the mod_auth_kerb on the webserver, but this seems to be on the IPA
> >>>> servers.
> >>>>
> >>>> The same question for the keytab, where do we use it when we use a
> >>>> simple
> >>>> webserver form to add a user ? It's the same as in the topic here
> >>>> where
> >>>> there is spoken about the "User privileges":
> >>>> http://comments.gmane.org/**gmane.linux.redhat.freeipa.**user/8244<
> http://comments.gmane.org/gmane.linux.redhat.freeipa.user/8244>
> >>>>
> >>>>
> >>>> What do we have to do on which server ? We have put a lot of time
> >>>> into the
> >>>> user_show part and that works, now westill  need the user_add (and
> >>>> so on).
> >>>>
> >>>> Has anyone some sort of sample/howto for this ?
> >>>>
> >>> As I said on IRC, I'm working on the article which explains all that.
> >>> Stay tuned.
> >>>
> >>>
> >>> --
> >>> / Alexander Bokovoy
> >>>
> >
> >
> >
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager for IdM portfolio
> Red Hat Inc.
>
>
> -------------------------------
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to