On 07/30/2013 08:17 AM, Matt . wrote:
> Hi Dimitri,
>
> It's a good tuturial but I'm kinda stuck (and new to that part)
>
> What we seem to need is:
>
> A -> B -> C -> D
> A= user(running one) B= Webserver C=IPAserver D= LDAP on IPAserver
>
> I thought we didn't need the C -> D part because this is what IPA
> does. We actually need the A -> B -> C part exectured from a php
> script to add a user with user_add.
>
> More details about that are welcome.

You use the article but instead of accessing LDAP directly you need to
access ipa web sever because you will be running IPA commands and not
LDAP queries.
So you instead of using |ldap/ipa.example.com| principal as outlined in
the article you configure aquision of tickets for |http/ipa.example.com|.
Makes sense?

>
> Thanks!
>
> Cheers,
>
> Matt
>
>
> 2013/7/30 Dmitri Pal <d...@redhat.com <mailto:d...@redhat.com>>
>
>     On 07/29/2013 03:02 PM, Alexander Bokovoy wrote:
>     > Hi!
>     >
>     > On Mon, 29 Jul 2013, Matt . wrote:
>     >> Hi Alexander,
>     >>
>     >> That is great!
>     >>
>     >> I hope that someone can find this topic and use it as reference
>     as it
>     >> tool
>     >> us some time to find the other one :)
>     > You can find my blog post here:
>     >
>     
> http://vda.li/en/posts/2013/07/29/Setting-up-S4U2Proxy-with-FreeIPA/index.html
>     >
>     >
>     > Hope it helps. I've tested the scenario on Fedora 19.
>
>     I added it to the HOWTO section on wiki.
>     http://www.freeipa.org/page/Howto/Setting_up_S4U2Proxy_with_FreeIPA
>
>     >
>     >>
>     >> Thanks!
>     >>
>     >> Cheers,
>     >>
>     >> Matt
>     >>
>     >> 2013/7/29 Alexander Bokovoy <aboko...@redhat.com
>     <mailto:aboko...@redhat.com>>
>     >>
>     >>> Hi Matt,
>     >>>
>     >>>
>     >>> On Mon, 29 Jul 2013, Matt . wrote:
>     >>>
>     >>>> Hi all,
>     >>>>
>     >>>> Refering to this topic:
>     >>>>
>     
> https://www.redhat.com/**archives/freeipa-users/2013-**July/msg00318.html<https://www.redhat.com/archives/freeipa-users/2013-July/msg00318.html>
>     >>>>
>     >>>>
>     >>>> We are no able to do a show_user from a webserver on an IPA
>     server,
>     >>>> but
>     >>>> user_add gives a problem in rights.
>     >>>>
>     >>>> On the IPA server there is added to the services:
>     >>>> HTTP/test-webserver.dev.**domain.local@DEV.DOMAIN.LOCAL<**
>     >>>> https://test-zip.dev.msp.**cullie.local/ipa/ui/#HTTP/**
>     >>>>
>     
> test-zip-2.dev.msp.cullie.**lo...@dev.msp.CULLIE.LOCAL<https://test-zip.dev.msp.cullie.local/ipa/ui/#HTTP/test-zip-2.dev.msp.cullie.lo...@dev.msp.CULLIE.LOCAL>
>     >>>>
>     >>>> >
>     >>>>
>     >>>>
>     >>>> We installed mod_auth_kerb on the webserver and the
>     IPA-server and
>     >>>> created
>     >>>> a keytab also on both servers.
>     >>>> <https://test-zip.dev.msp.**cullie.local/ipa/ui/#HTTP/**
>     >>>>
>     
> test-zip-2.dev.msp.cullie.**lo...@dev.msp.CULLIE.LOCAL<https://test-zip.dev.msp.cullie.local/ipa/ui/#HTTP/test-zip-2.dev.msp.cullie.lo...@dev.msp.CULLIE.LOCAL>
>     >>>>
>     >>>> >
>     >>>>
>     >>>>
>     >>>> With our script we still get the following error because the
>     rights
>     >>>> that
>     >>>> the user has:
>     >>>>
>     >>>> ipa: ERROR: Insufficient access: Insufficient 'add' privilege
>     to the
>     >>>> 'userPassword' attribute
>     >>>>
>     >>>> When we add a user "apache" to the IPA server and give it admin
>     >>>> rights and
>     >>>> set it to the "User Administrator" Role we still don't have
>     the right
>     >>>> privileges to do so.
>     >>>>
>     >>>> We need to setup a S4U2Proxy where we thought of that we did by
>     >>>> installing
>     >>>> the mod_auth_kerb on the webserver, but this seems to be on
>     the IPA
>     >>>> servers.
>     >>>>
>     >>>> The same question for the keytab, where do we use it when we
>     use a
>     >>>> simple
>     >>>> webserver form to add a user ? It's the same as in the topic here
>     >>>> where
>     >>>> there is spoken about the "User privileges":
>     >>>>
>     
> http://comments.gmane.org/**gmane.linux.redhat.freeipa.**user/8244<http://comments.gmane.org/gmane.linux.redhat.freeipa.user/8244>
>     >>>>
>     >>>>
>     >>>> What do we have to do on which server ? We have put a lot of time
>     >>>> into the
>     >>>> user_show part and that works, now westill  need the user_add
>     (and
>     >>>> so on).
>     >>>>
>     >>>> Has anyone some sort of sample/howto for this ?
>     >>>>
>     >>> As I said on IRC, I'm working on the article which explains
>     all that.
>     >>> Stay tuned.
>     >>>
>     >>>
>     >>> --
>     >>> / Alexander Bokovoy
>     >>>
>     >
>     >
>     >
>
>
>     --
>     Thank you,
>     Dmitri Pal
>
>     Sr. Engineering Manager for IdM portfolio
>     Red Hat Inc.
>
>
>     -------------------------------
>     Looking to carve out IT costs?
>     www.redhat.com/carveoutcosts/ <http://www.redhat.com/carveoutcosts/>
>
>
>
>     _______________________________________________
>     Freeipa-users mailing list
>     Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com>
>     https://www.redhat.com/mailman/listinfo/freeipa-users
>
>


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to