Re: [Freeipa-devel] [PATCH] 0001 Added new authentication method

[Jan Cholasta]

On 17.8.2016 16:33, Stanislav Laznicka wrote:

On 08/17/2016 04:11 PM, Tibor Dudlak wrote:


On Wed, Aug 17, 2016 at 3:36 PM, Stanislav Laznicka
> wrote:

On 08/16/2016 03:16 PM, Tibor Dudlak wrote:

Hi,

I have edited this patch after review. It should be okay now.

Thank you.

On Thu, Aug 11, 2016 at 7:49 PM, Petr Vobornik
> wrote:

On 08/11/2016 07:21 PM, Martin Basti wrote:
>
>
> On 11.08.2016 18:57, Pavel Vomacka wrote:
>>
>>
>> On 08/11/2016 02:00 PM, Petr Vobornik wrote:
>>> On 08/11/2016 10:54 AM, Alexander Bokovoy wrote:
 On Thu, 11 Aug 2016, Jan Cholasta wrote:
> On 4.8.2016 17:27, Jan Pazdziora wrote:
>> On Wed, Aug 03, 2016 at 10:29:52AM +0300, Alexander
Bokovoy wrote:
>>> Got it. One thing I would correct, though, -- don't use
>>> kadmin.local, we
>>> do support setting ok_as_delegate on the service
principals via IPA
>>> CLI:
>>> $ ipa service-mod --help |grep -A1 ok-as-delegate
>>> --ok-as-delegate=BOOL
>>>Client credentials may be
delegated to the
>>> service
>> I've tried
>>
>>  ipa service-mod --ok-as-delegate=True
HTTP/$(hostname)
>>
>> but that does not seem to have the same effect as
>>
>>  modprinc +ok_to_auth_as_delegate
HTTP/ipa.example.test
>>
>> -- obtaining the delegated certificated fails.
> That's because ok_as_delegate and
ok_to_auth_as_delegate are different
> flags.
 Right. The following patch adds ok_to_auth_as_delegate
to the service
 principal.

 I haven't added any tickets to it yet.


>>> This might deserve also nice Web UI checkbox similar to
"Trusted for
>>> delegation". CCing Pavel.
>>>
>> Here is patch with new checkbox. It is without ticket in
commit message so
>> once we will have the ticket I will send another patch
witch updated commit
>> message.
>
> https://fedorahosted.org/freeipa/newticket

>
> ;-)

It's prerequisite for
https://fedorahosted.org/freeipa/ticket/5764
 so we
might use that.



Please, add your answers at the end of the previous mail in the
future.

Also, your patch raises pep8 errors:
./ipaserver/plugins/xmlserver.py:31:80: E501 line too long (189 >
79 characters)
./ipaserver/rpcserver.py:885:5: E113 unexpected indentation

Could you please fix them?


Hi,

thanks for review Stanislav. I understand
./ipaserver/rpcserver.py:885:5: E113 unexpected indentation, that is
my fault but really do not understand first one. Is there policy that
you decided not to patch existing files, even if there was obviously
longer line before patch until it is not necessary?
Anyway I hope it should be ok now.

Thank you.


There's a policy to try to be pep8 compliant as much as we can with any
new patches. Your new patch would still raise some pep8 errors, please
see the attached patch that should be ok. If it's ok with you then ACK,
it seems to be working.


(16:54:22) pvoborni_: tdudlak: muzem pushnout tu standovu verzi tveho 
patche?

(16:54:36) tdudlak: jasne
(16:55:12) pvoborni_: jcholast: ^

Pushed to master: d25a0725c0e09891bd0df927641dac878dfe6a7d

--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 0001 Added new authentication method

[Stanislav Laznicka]

On 08/17/2016 03:50 PM, Pavel Vomacka wrote:




On 08/17/2016 02:42 PM, Pavel Vomacka wrote:



On 08/11/2016 07:49 PM, Petr Vobornik wrote:

On 08/11/2016 07:21 PM, Martin Basti wrote:


On 11.08.2016 18:57, Pavel Vomacka wrote:


On 08/11/2016 02:00 PM, Petr Vobornik wrote:

On 08/11/2016 10:54 AM, Alexander Bokovoy wrote:

On Thu, 11 Aug 2016, Jan Cholasta wrote:

On 4.8.2016 17:27, Jan Pazdziora wrote:
On Wed, Aug 03, 2016 at 10:29:52AM +0300, Alexander Bokovoy 
wrote:

Got it. One thing I would correct, though, -- don't use
kadmin.local, we
do support setting ok_as_delegate on the service principals 
via IPA

CLI:
$ ipa service-mod --help |grep -A1 ok-as-delegate
--ok-as-delegate=BOOL
Client credentials may be delegated 
to the

service

I've tried

  ipa service-mod --ok-as-delegate=True HTTP/$(hostname)

but that does not seem to have the same effect as

  modprinc +ok_to_auth_as_delegate HTTP/ipa.example.test

-- obtaining the delegated certificated fails.
That's because ok_as_delegate and ok_to_auth_as_delegate are 
different

flags.
Right. The following patch adds ok_to_auth_as_delegate to the 
service

principal.

I haven't added any tickets to it yet.



This might deserve also nice Web UI checkbox similar to "Trusted for
delegation". CCing Pavel.

Here is patch with new checkbox. It is without ticket in commit 
message so
once we will have the ticket I will send another patch witch 
updated commit

message.

https://fedorahosted.org/freeipa/newticket

;-)
It's prerequisite for https://fedorahosted.org/freeipa/ticket/5764 
so we

might use that.

Thank you, patch with updated commit message attached.




Attached patch adds checkbox also to host page.


Thank you, works as expected. ACK.

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 0001 Added new authentication method

[Stanislav Laznicka]

On 08/17/2016 03:58 PM, Alexander Bokovoy wrote:

On Thu, 11 Aug 2016, Petr Vobornik wrote:

On 08/11/2016 07:21 PM, Martin Basti wrote:



On 11.08.2016 18:57, Pavel Vomacka wrote:



On 08/11/2016 02:00 PM, Petr Vobornik wrote:

On 08/11/2016 10:54 AM, Alexander Bokovoy wrote:

On Thu, 11 Aug 2016, Jan Cholasta wrote:

On 4.8.2016 17:27, Jan Pazdziora wrote:

On Wed, Aug 03, 2016 at 10:29:52AM +0300, Alexander Bokovoy wrote:

Got it. One thing I would correct, though, -- don't use
kadmin.local, we
do support setting ok_as_delegate on the service principals 
via IPA

CLI:
$ ipa service-mod --help |grep -A1 ok-as-delegate
--ok-as-delegate=BOOL
   Client credentials may be delegated to the
service

I've tried

 ipa service-mod --ok-as-delegate=True HTTP/$(hostname)

but that does not seem to have the same effect as

 modprinc +ok_to_auth_as_delegate HTTP/ipa.example.test

-- obtaining the delegated certificated fails.
That's because ok_as_delegate and ok_to_auth_as_delegate are 
different

flags.
Right. The following patch adds ok_to_auth_as_delegate to the 
service

principal.

I haven't added any tickets to it yet.



This might deserve also nice Web UI checkbox similar to "Trusted for
delegation". CCing Pavel.

Here is patch with new checkbox. It is without ticket in commit 
message so
once we will have the ticket I will send another patch witch 
updated commit

message.


https://fedorahosted.org/freeipa/newticket

;-)


It's prerequisite for https://fedorahosted.org/freeipa/ticket/5764 so we
might use that.

Sounds good. Patch with updated commit message is attached.



Thank you for the updated patch, works as expected so ACK.

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 0001 Added new authentication method

[Jan Cholasta]

On 17.8.2016 16:36, Stanislav Laznicka wrote:

On 08/17/2016 03:50 PM, Pavel Vomacka wrote:




On 08/17/2016 02:42 PM, Pavel Vomacka wrote:



On 08/11/2016 07:49 PM, Petr Vobornik wrote:

On 08/11/2016 07:21 PM, Martin Basti wrote:


On 11.08.2016 18:57, Pavel Vomacka wrote:


On 08/11/2016 02:00 PM, Petr Vobornik wrote:

On 08/11/2016 10:54 AM, Alexander Bokovoy wrote:

On Thu, 11 Aug 2016, Jan Cholasta wrote:

On 4.8.2016 17:27, Jan Pazdziora wrote:

On Wed, Aug 03, 2016 at 10:29:52AM +0300, Alexander Bokovoy
wrote:

Got it. One thing I would correct, though, -- don't use
kadmin.local, we
do support setting ok_as_delegate on the service principals
via IPA
CLI:
$ ipa service-mod --help |grep -A1 ok-as-delegate
--ok-as-delegate=BOOL
Client credentials may be delegated
to the
service

I've tried

  ipa service-mod --ok-as-delegate=True HTTP/$(hostname)

but that does not seem to have the same effect as

  modprinc +ok_to_auth_as_delegate HTTP/ipa.example.test

-- obtaining the delegated certificated fails.

That's because ok_as_delegate and ok_to_auth_as_delegate are
different
flags.

Right. The following patch adds ok_to_auth_as_delegate to the
service
principal.

I haven't added any tickets to it yet.



This might deserve also nice Web UI checkbox similar to "Trusted for
delegation". CCing Pavel.


Here is patch with new checkbox. It is without ticket in commit
message so
once we will have the ticket I will send another patch witch
updated commit
message.

https://fedorahosted.org/freeipa/newticket

;-)

It's prerequisite for https://fedorahosted.org/freeipa/ticket/5764
so we
might use that.

Thank you, patch with updated commit message attached.




Attached patch adds checkbox also to host page.


Thank you, works as expected. ACK.


Pushed to master: c36d721a01106e24186bd6b2f0fc74d7af31d5ba

--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 0001 Added new authentication method

[Jan Cholasta]

On 17.8.2016 16:35, Stanislav Laznicka wrote:

On 08/17/2016 03:58 PM, Alexander Bokovoy wrote:

On Thu, 11 Aug 2016, Petr Vobornik wrote:

On 08/11/2016 07:21 PM, Martin Basti wrote:



On 11.08.2016 18:57, Pavel Vomacka wrote:



On 08/11/2016 02:00 PM, Petr Vobornik wrote:

On 08/11/2016 10:54 AM, Alexander Bokovoy wrote:

On Thu, 11 Aug 2016, Jan Cholasta wrote:

On 4.8.2016 17:27, Jan Pazdziora wrote:

On Wed, Aug 03, 2016 at 10:29:52AM +0300, Alexander Bokovoy wrote:

Got it. One thing I would correct, though, -- don't use
kadmin.local, we
do support setting ok_as_delegate on the service principals
via IPA
CLI:
$ ipa service-mod --help |grep -A1 ok-as-delegate
--ok-as-delegate=BOOL
   Client credentials may be delegated to the
service

I've tried

 ipa service-mod --ok-as-delegate=True HTTP/$(hostname)

but that does not seem to have the same effect as

 modprinc +ok_to_auth_as_delegate HTTP/ipa.example.test

-- obtaining the delegated certificated fails.

That's because ok_as_delegate and ok_to_auth_as_delegate are
different
flags.

Right. The following patch adds ok_to_auth_as_delegate to the
service
principal.

I haven't added any tickets to it yet.



This might deserve also nice Web UI checkbox similar to "Trusted for
delegation". CCing Pavel.


Here is patch with new checkbox. It is without ticket in commit
message so
once we will have the ticket I will send another patch witch
updated commit
message.


https://fedorahosted.org/freeipa/newticket

;-)


It's prerequisite for https://fedorahosted.org/freeipa/ticket/5764 so we
might use that.

Sounds good. Patch with updated commit message is attached.



Thank you for the updated patch, works as expected so ACK.


Pushed to master: 1c73ac91a4c76cbada91f2b30d8b731b91af5195

--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 0001 Added new authentication method

[Stanislav Laznicka]

On 08/17/2016 04:11 PM, Tibor Dudlak wrote:


On Wed, Aug 17, 2016 at 3:36 PM, Stanislav Laznicka 
> wrote:


On 08/16/2016 03:16 PM, Tibor Dudlak wrote:

Hi,

I have edited this patch after review. It should be okay now.

Thank you.

On Thu, Aug 11, 2016 at 7:49 PM, Petr Vobornik
> wrote:

On 08/11/2016 07:21 PM, Martin Basti wrote:
>
>
> On 11.08.2016 18:57, Pavel Vomacka wrote:
>>
>>
>> On 08/11/2016 02:00 PM, Petr Vobornik wrote:
>>> On 08/11/2016 10:54 AM, Alexander Bokovoy wrote:
 On Thu, 11 Aug 2016, Jan Cholasta wrote:
> On 4.8.2016 17:27, Jan Pazdziora wrote:
>> On Wed, Aug 03, 2016 at 10:29:52AM +0300, Alexander
Bokovoy wrote:
>>> Got it. One thing I would correct, though, -- don't use
>>> kadmin.local, we
>>> do support setting ok_as_delegate on the service
principals via IPA
>>> CLI:
>>> $ ipa service-mod --help |grep -A1 ok-as-delegate
>>> --ok-as-delegate=BOOL
>>> Client credentials may be delegated to the
>>> service
>> I've tried
>>
>>  ipa service-mod --ok-as-delegate=True
HTTP/$(hostname)
>>
>> but that does not seem to have the same effect as
>>
>>  modprinc +ok_to_auth_as_delegate
HTTP/ipa.example.test
>>
>> -- obtaining the delegated certificated fails.
> That's because ok_as_delegate and
ok_to_auth_as_delegate are different
> flags.
 Right. The following patch adds ok_to_auth_as_delegate
to the service
 principal.

 I haven't added any tickets to it yet.


>>> This might deserve also nice Web UI checkbox similar to
"Trusted for
>>> delegation". CCing Pavel.
>>>
>> Here is patch with new checkbox. It is without ticket in
commit message so
>> once we will have the ticket I will send another patch
witch updated commit
>> message.
>
> https://fedorahosted.org/freeipa/newticket

>
> ;-)

It's prerequisite for
https://fedorahosted.org/freeipa/ticket/5764
 so we
might use that.



Please, add your answers at the end of the previous mail in the
future.

Also, your patch raises pep8 errors:
./ipaserver/plugins/xmlserver.py:31:80: E501 line too long (189 >
79 characters)
./ipaserver/rpcserver.py:885:5: E113 unexpected indentation

Could you please fix them?


Hi,

thanks for review Stanislav. I understand 
./ipaserver/rpcserver.py:885:5: E113 unexpected indentation, that is 
my fault but really do not understand first one. Is there policy that 
you decided not to patch existing files, even if there was obviously 
longer line before patch until it is not necessary?

Anyway I hope it should be ok now.

Thank you.


There's a policy to try to be pep8 compliant as much as we can with any 
new patches. Your new patch would still raise some pep8 errors, please 
see the attached patch that should be ok. If it's ok with you then ACK, 
it seems to be working.


From e8f7cffe8fa24d2e02285ab2907e95463aad4311 Mon Sep 17 00:00:00 2001
From: Tiboris 
Date: Tue, 16 Aug 2016 14:13:29 +0200
Subject: [PATCH] Added new authentication method

Addressing ticket https://fedorahosted.org/freeipa/ticket/5764
---
 ipaserver/plugins/xmlserver.py |  6 +-
 ipaserver/rpcserver.py | 17 +
 2 files changed, 18 insertions(+), 5 deletions(-)

diff --git a/ipaserver/plugins/xmlserver.py b/ipaserver/plugins/xmlserver.py
index d8fe24e0cb407603e9898e934229c9373f3c8b62..08c7456ed6dbfcc59f532314894031fba584e20a 100644
--- a/ipaserver/plugins/xmlserver.py
+++ b/ipaserver/plugins/xmlserver.py
@@ -28,12 +28,16 @@ register = Registry()
 
 
 if api.env.context in ('server', 'lite'):
-from ipaserver.rpcserver import wsgi_dispatch, xmlserver, jsonserver_kerb, jsonserver_session, login_kerberos, login_password, change_password, sync_token, xmlserver_session
+from ipaserver.rpcserver import (
+wsgi_dispatch, xmlserver, jsonserver_kerb, jsonserver_session,
+login_kerberos, login_x509, login_password, change_password,
+sync_token, xmlserver_session)
 register()(wsgi_dispatch)
 register()(xmlserver)
 register()(jsonserver_kerb)
 register()(jsonserver_session)
 register()(login_kerberos)
+register()(login_x509)
 register()(login_password)
 register()(change_password)
 register()(sync_token)

Re: [Freeipa-devel] [PATCH] 0001 Added new authentication method

[Tibor Dudlak]

On Wed, Aug 17, 2016 at 3:36 PM, Stanislav Laznicka 
wrote:

> On 08/16/2016 03:16 PM, Tibor Dudlak wrote:
>
> Hi,
>
> I have edited this patch after review. It should be okay now.
>
> Thank you.
>
> On Thu, Aug 11, 2016 at 7:49 PM, Petr Vobornik 
> wrote:
>
>> On 08/11/2016 07:21 PM, Martin Basti wrote:
>> >
>> >
>> > On 11.08.2016 18:57, Pavel Vomacka wrote:
>> >>
>> >>
>> >> On 08/11/2016 02:00 PM, Petr Vobornik wrote:
>> >>> On 08/11/2016 10:54 AM, Alexander Bokovoy wrote:
>>  On Thu, 11 Aug 2016, Jan Cholasta wrote:
>> > On 4.8.2016 17:27, Jan Pazdziora wrote:
>> >> On Wed, Aug 03, 2016 at 10:29:52AM +0300, Alexander Bokovoy wrote:
>> >>> Got it. One thing I would correct, though, -- don't use
>> >>> kadmin.local, we
>> >>> do support setting ok_as_delegate on the service principals via
>> IPA
>> >>> CLI:
>> >>> $ ipa service-mod --help |grep -A1 ok-as-delegate
>> >>> --ok-as-delegate=BOOL
>> >>>Client credentials may be delegated to the
>> >>> service
>> >> I've tried
>> >>
>> >>  ipa service-mod --ok-as-delegate=True HTTP/$(hostname)
>> >>
>> >> but that does not seem to have the same effect as
>> >>
>> >>  modprinc +ok_to_auth_as_delegate HTTP/ipa.example.test
>> >>
>> >> -- obtaining the delegated certificated fails.
>> > That's because ok_as_delegate and ok_to_auth_as_delegate are
>> different
>> > flags.
>>  Right. The following patch adds ok_to_auth_as_delegate to the service
>>  principal.
>> 
>>  I haven't added any tickets to it yet.
>> 
>> 
>> >>> This might deserve also nice Web UI checkbox similar to "Trusted for
>> >>> delegation". CCing Pavel.
>> >>>
>> >> Here is patch with new checkbox. It is without ticket in commit
>> message so
>> >> once we will have the ticket I will send another patch witch updated
>> commit
>> >> message.
>> >
>> > https://fedorahosted.org/freeipa/newticket
>> >
>> > ;-)
>>
>> It's prerequisite for https://fedorahosted.org/freeipa/ticket/5764 so we
>> might use that.
>>
>>
> Please, add your answers at the end of the previous mail in the future.
>
> Also, your patch raises pep8 errors:
> ./ipaserver/plugins/xmlserver.py:31:80: E501 line too long (189 > 79
> characters)
> ./ipaserver/rpcserver.py:885:5: E113 unexpected indentation
>
> Could you please fix them?
>

Hi,

thanks for review Stanislav. I understand ./ipaserver/rpcserver.py:885:5:
E113 unexpected indentation, that is my fault but really do not understand
first one. Is there policy that you decided not to patch existing files,
even if there was obviously longer line before patch until it is not
necessary?
Anyway I hope it should be ok now.

Thank you.

-- 
Tibor Dudlák
Intern - Identity management Special Projects
Red Hat
From 259686e660d2efca1e6ce3153b6fcf4926df127b Mon Sep 17 00:00:00 2001
From: Tiboris 
Date: Tue, 16 Aug 2016 14:13:29 +0200
Subject: [PATCH] Added new authentication method

Addressing ticket https://fedorahosted.org/freeipa/ticket/5764
---
 ipaserver/plugins/xmlserver.py |  5 -
 ipaserver/rpcserver.py | 17 +
 2 files changed, 17 insertions(+), 5 deletions(-)

diff --git a/ipaserver/plugins/xmlserver.py b/ipaserver/plugins/xmlserver.py
index d8fe24e0cb407603e9898e934229c9373f3c8b62..8be3bd930c18bc602c413aa34d1f766ead59fdc8 100644
--- a/ipaserver/plugins/xmlserver.py
+++ b/ipaserver/plugins/xmlserver.py
@@ -28,12 +28,15 @@ register = Registry()
 
 
 if api.env.context in ('server', 'lite'):
-from ipaserver.rpcserver import wsgi_dispatch, xmlserver, jsonserver_kerb, jsonserver_session, login_kerberos, login_password, change_password, sync_token, xmlserver_session
+from ipaserver.rpcserver import (wsgi_dispatch, xmlserver, jsonserver_kerb,
+jsonserver_session, login_kerberos, login_x509, login_password,
+change_password, sync_token, xmlserver_session)
 register()(wsgi_dispatch)
 register()(xmlserver)
 register()(jsonserver_kerb)
 register()(jsonserver_session)
 register()(login_kerberos)
+register()(login_x509)
 register()(login_password)
 register()(change_password)
 register()(sync_token)
diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
index d036f3c27521f17709672b830d5aa58167c76b34..e48dc3498d6ed8feb6ea44a9a678a8b8c50e8d9b 100644
--- a/ipaserver/rpcserver.py
+++ b/ipaserver/rpcserver.py
@@ -857,16 +857,16 @@ class jsonserver_kerb(jsonserver, KerberosWSGIExecutioner):
 key = '/json'
 
 
-class login_kerberos(Backend, KerberosSession, HTTP_Status):
-key = '/session/login_kerberos'
+class KerberosLogin(Backend, KerberosSession, HTTP_Status):
+key = None
 
 def _on_finalize(self):
-super(login_kerberos, self)._on_finalize()
+super(KerberosLogin, self)._on_finalize()
 self.api.Backend.wsgi_dispatch.mount(self, self.key)
 

Re: [Freeipa-devel] [PATCH] 0001 Added new authentication method

[Alexander Bokovoy]

On Thu, 11 Aug 2016, Petr Vobornik wrote:

On 08/11/2016 07:21 PM, Martin Basti wrote:



On 11.08.2016 18:57, Pavel Vomacka wrote:



On 08/11/2016 02:00 PM, Petr Vobornik wrote:

On 08/11/2016 10:54 AM, Alexander Bokovoy wrote:

On Thu, 11 Aug 2016, Jan Cholasta wrote:

On 4.8.2016 17:27, Jan Pazdziora wrote:

On Wed, Aug 03, 2016 at 10:29:52AM +0300, Alexander Bokovoy wrote:

Got it. One thing I would correct, though, -- don't use
kadmin.local, we
do support setting ok_as_delegate on the service principals via IPA
CLI:
$ ipa service-mod --help |grep -A1 ok-as-delegate
--ok-as-delegate=BOOL
   Client credentials may be delegated to the
service

I've tried

 ipa service-mod --ok-as-delegate=True HTTP/$(hostname)

but that does not seem to have the same effect as

 modprinc +ok_to_auth_as_delegate HTTP/ipa.example.test

-- obtaining the delegated certificated fails.

That's because ok_as_delegate and ok_to_auth_as_delegate are different
flags.

Right. The following patch adds ok_to_auth_as_delegate to the service
principal.

I haven't added any tickets to it yet.



This might deserve also nice Web UI checkbox similar to "Trusted for
delegation". CCing Pavel.


Here is patch with new checkbox. It is without ticket in commit message so
once we will have the ticket I will send another patch witch updated commit
message.


https://fedorahosted.org/freeipa/newticket

;-)


It's prerequisite for https://fedorahosted.org/freeipa/ticket/5764 so we
might use that.

Sounds good. Patch with updated commit message is attached.

--
/ Alexander Bokovoy
From e2cebaa4e4b30b588d484e111cb11779cb863c0f Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy 
Date: Thu, 11 Aug 2016 11:52:05 +0300
Subject: [PATCH 06/10] service: add flag to allow S4U2Self

Prerequisite for: https://fedorahosted.org/freeipa/ticket/5764
---
 API.txt  | 12 
 VERSION  |  4 ++--
 ipaserver/plugins/service.py |  7 +++
 3 files changed, 17 insertions(+), 6 deletions(-)

diff --git a/API.txt b/API.txt
index 535d8ec..5b83bfb 100644
--- a/API.txt
+++ b/API.txt
@@ -2260,7 +2260,7 @@ output: Output('summary', type=[, ])
 output: Output('value', type=[])
 output: Output('warning', type=[, , ])
 command: host_add/1
-args: 1,24,3
+args: 1,25,3
 arg: Str('fqdn', cli_name='hostname')
 option: Str('addattr*', cli_name='addattr')
 option: Flag('all', autofill=True, cli_name='all', default=False)
@@ -2269,6 +2269,7 @@ option: Flag('force', autofill=True, default=False)
 option: Str('ip_address?')
 option: Str('ipaassignedidview?')
 option: Bool('ipakrbokasdelegate?', cli_name='ok_as_delegate')
+option: Bool('ipakrboktoauthasdelegate?', cli_name='ok_to_auth_as_delegate')
 option: Bool('ipakrbrequirespreauth?', cli_name='requires_pre_auth')
 option: Str('ipasshpubkey*', cli_name='sshpubkey')
 option: Str('krbprincipalauthind*', cli_name='auth_ind')
@@ -2437,7 +2438,7 @@ output: ListOfEntries('result')
 output: Output('summary', type=[, ])
 output: Output('truncated', type=[])
 command: host_mod/1
-args: 1,25,3
+args: 1,26,3
 arg: Str('fqdn', cli_name='hostname')
 option: Str('addattr*', cli_name='addattr')
 option: Flag('all', autofill=True, cli_name='all', default=False)
@@ -2445,6 +2446,7 @@ option: Str('delattr*', cli_name='delattr')
 option: Str('description?', autofill=False, cli_name='desc')
 option: Str('ipaassignedidview?', autofill=False)
 option: Bool('ipakrbokasdelegate?', autofill=False, cli_name='ok_as_delegate')
+option: Bool('ipakrboktoauthasdelegate?', autofill=False, 
cli_name='ok_to_auth_as_delegate')
 option: Bool('ipakrbrequirespreauth?', autofill=False, 
cli_name='requires_pre_auth')
 option: Str('ipasshpubkey*', autofill=False, cli_name='sshpubkey')
 option: Str('krbprincipalauthind*', autofill=False, cli_name='auth_ind')
@@ -4293,13 +4295,14 @@ output: Entry('result')
 output: Output('summary', type=[, ])
 output: PrimaryKey('value')
 command: service_add/1
-args: 1,12,3
+args: 1,13,3
 arg: Principal('krbcanonicalname', cli_name='canonical_principal')
 option: Str('addattr*', cli_name='addattr')
 option: Flag('all', autofill=True, cli_name='all', default=False)
 option: Flag('force', autofill=True, default=False)
 option: StrEnum('ipakrbauthzdata*', cli_name='pac_type', values=[u'MS-PAC', 
u'PAD', u'NONE'])
 option: Bool('ipakrbokasdelegate?', cli_name='ok_as_delegate')
+option: Bool('ipakrboktoauthasdelegate?', cli_name='ok_to_auth_as_delegate')
 option: Bool('ipakrbrequirespreauth?', cli_name='requires_pre_auth')
 option: Str('krbprincipalauthind*', cli_name='auth_ind')
 option: Flag('no_members', autofill=True, default=False)
@@ -4435,13 +4438,14 @@ output: ListOfEntries('result')
 output: Output('summary', type=[, ])
 output: Output('truncated', type=[])
 command: service_mod/1
-args: 1,14,3
+args: 1,15,3
 arg: Principal('krbcanonicalname', cli_name='canonical_principal')
 option: Str('addattr*', cli_name='addattr')
 option: Flag('all', 

Re: [Freeipa-devel] [PATCH] 0001 Added new authentication method

[Pavel Vomacka]

On 08/17/2016 02:42 PM, Pavel Vomacka wrote:



On 08/11/2016 07:49 PM, Petr Vobornik wrote:

On 08/11/2016 07:21 PM, Martin Basti wrote:


On 11.08.2016 18:57, Pavel Vomacka wrote:


On 08/11/2016 02:00 PM, Petr Vobornik wrote:

On 08/11/2016 10:54 AM, Alexander Bokovoy wrote:

On Thu, 11 Aug 2016, Jan Cholasta wrote:

On 4.8.2016 17:27, Jan Pazdziora wrote:

On Wed, Aug 03, 2016 at 10:29:52AM +0300, Alexander Bokovoy wrote:

Got it. One thing I would correct, though, -- don't use
kadmin.local, we
do support setting ok_as_delegate on the service principals 
via IPA

CLI:
$ ipa service-mod --help |grep -A1 ok-as-delegate
--ok-as-delegate=BOOL
Client credentials may be delegated to 
the

service

I've tried

  ipa service-mod --ok-as-delegate=True HTTP/$(hostname)

but that does not seem to have the same effect as

  modprinc +ok_to_auth_as_delegate HTTP/ipa.example.test

-- obtaining the delegated certificated fails.
That's because ok_as_delegate and ok_to_auth_as_delegate are 
different

flags.
Right. The following patch adds ok_to_auth_as_delegate to the 
service

principal.

I haven't added any tickets to it yet.



This might deserve also nice Web UI checkbox similar to "Trusted for
delegation". CCing Pavel.

Here is patch with new checkbox. It is without ticket in commit 
message so
once we will have the ticket I will send another patch witch 
updated commit

message.

https://fedorahosted.org/freeipa/newticket

;-)

It's prerequisite for https://fedorahosted.org/freeipa/ticket/5764 so we
might use that.

Thank you, patch with updated commit message attached.




Attached patch adds checkbox also to host page.

--
Pavel^3 Vomacka

From dd28fcd09582d8b2a841ecea556d051074b45f79 Mon Sep 17 00:00:00 2001
From: Pavel Vomacka 
Date: Thu, 11 Aug 2016 18:53:55 +0200
Subject: [PATCH] Add 'trusted to auth as user' checkbox

Add new checkbox to host and service details page

Prerequisite for: https://fedorahosted.org/freeipa/ticket/5764
---
 install/ui/src/freeipa/host.js| 5 +
 install/ui/src/freeipa/service.js | 5 +
 2 files changed, 10 insertions(+)

diff --git a/install/ui/src/freeipa/host.js b/install/ui/src/freeipa/host.js
index 33d443c2bc96c385bd13abf4d85adda6e51db718..87cf264ef20b79aceed639f45d926fd7aef19edf 100644
--- a/install/ui/src/freeipa/host.js
+++ b/install/ui/src/freeipa/host.js
@@ -142,6 +142,11 @@ return {
 flags: ['w_if_no_aci']
 },
 {
+name: 'ipakrboktoauthasdelegate',
+$type: 'checkbox',
+acl_param: 'krbticketflags'
+},
+{
 name: 'ipaassignedidview',
 $type: 'link',
 label: '@i18n:objects.idview.ipaassignedidview',
diff --git a/install/ui/src/freeipa/service.js b/install/ui/src/freeipa/service.js
index 35d486605ebfee41d8b3ffa5bb77bf9e72a60c01..30e336c35b8eece2e5e3ef55629d0c98f097fbf5 100644
--- a/install/ui/src/freeipa/service.js
+++ b/install/ui/src/freeipa/service.js
@@ -142,6 +142,11 @@ return {
 acl_param: 'krbticketflags'
 },
 {
+name: 'ipakrboktoauthasdelegate',
+$type: 'checkbox',
+acl_param: 'krbticketflags'
+},
+{
 name: 'ipakrbrequirespreauth',
 $type: 'checkbox',
 acl_param: 'krbticketflags'
-- 
2.5.5

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 0001 Added new authentication method

[Stanislav Laznicka]

On 08/16/2016 03:16 PM, Tibor Dudlak wrote:

Hi,

I have edited this patch after review. It should be okay now.

Thank you.

On Thu, Aug 11, 2016 at 7:49 PM, Petr Vobornik > wrote:


On 08/11/2016 07:21 PM, Martin Basti wrote:
>
>
> On 11.08.2016 18:57, Pavel Vomacka wrote:
>>
>>
>> On 08/11/2016 02:00 PM, Petr Vobornik wrote:
>>> On 08/11/2016 10:54 AM, Alexander Bokovoy wrote:
 On Thu, 11 Aug 2016, Jan Cholasta wrote:
> On 4.8.2016 17:27, Jan Pazdziora wrote:
>> On Wed, Aug 03, 2016 at 10:29:52AM +0300, Alexander Bokovoy
wrote:
>>> Got it. One thing I would correct, though, -- don't use
>>> kadmin.local, we
>>> do support setting ok_as_delegate on the service
principals via IPA
>>> CLI:
>>> $ ipa service-mod --help |grep -A1 ok-as-delegate
>>> --ok-as-delegate=BOOL
>>> Client credentials may be delegated to the
>>> service
>> I've tried
>>
>>  ipa service-mod --ok-as-delegate=True HTTP/$(hostname)
>>
>> but that does not seem to have the same effect as
>>
>>  modprinc +ok_to_auth_as_delegate HTTP/ipa.example.test
>>
>> -- obtaining the delegated certificated fails.
> That's because ok_as_delegate and ok_to_auth_as_delegate are
different
> flags.
 Right. The following patch adds ok_to_auth_as_delegate to the
service
 principal.

 I haven't added any tickets to it yet.


>>> This might deserve also nice Web UI checkbox similar to
"Trusted for
>>> delegation". CCing Pavel.
>>>
>> Here is patch with new checkbox. It is without ticket in commit
message so
>> once we will have the ticket I will send another patch witch
updated commit
>> message.
>
> https://fedorahosted.org/freeipa/newticket

>
> ;-)

It's prerequisite for https://fedorahosted.org/freeipa/ticket/5764
 so we
might use that.



Please, add your answers at the end of the previous mail in the future.

Also, your patch raises pep8 errors:
./ipaserver/plugins/xmlserver.py:31:80: E501 line too long (189 > 79 
characters)

./ipaserver/rpcserver.py:885:5: E113 unexpected indentation

Could you please fix them?
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 0001 Added new authentication method

[Pavel Vomacka]

On 08/11/2016 07:49 PM, Petr Vobornik wrote:

On 08/11/2016 07:21 PM, Martin Basti wrote:


On 11.08.2016 18:57, Pavel Vomacka wrote:


On 08/11/2016 02:00 PM, Petr Vobornik wrote:

On 08/11/2016 10:54 AM, Alexander Bokovoy wrote:

On Thu, 11 Aug 2016, Jan Cholasta wrote:

On 4.8.2016 17:27, Jan Pazdziora wrote:

On Wed, Aug 03, 2016 at 10:29:52AM +0300, Alexander Bokovoy wrote:

Got it. One thing I would correct, though, -- don't use
kadmin.local, we
do support setting ok_as_delegate on the service principals via IPA
CLI:
$ ipa service-mod --help |grep -A1 ok-as-delegate
--ok-as-delegate=BOOL
Client credentials may be delegated to the
service

I've tried

  ipa service-mod --ok-as-delegate=True HTTP/$(hostname)

but that does not seem to have the same effect as

  modprinc +ok_to_auth_as_delegate HTTP/ipa.example.test

-- obtaining the delegated certificated fails.

That's because ok_as_delegate and ok_to_auth_as_delegate are different
flags.

Right. The following patch adds ok_to_auth_as_delegate to the service
principal.

I haven't added any tickets to it yet.



This might deserve also nice Web UI checkbox similar to "Trusted for
delegation". CCing Pavel.


Here is patch with new checkbox. It is without ticket in commit message so
once we will have the ticket I will send another patch witch updated commit
message.

https://fedorahosted.org/freeipa/newticket

;-)

It's prerequisite for https://fedorahosted.org/freeipa/ticket/5764 so we
might use that.

Thank you, patch with updated commit message attached.

--
Pavel^3 Vomacka

From c4ea9bb301162712207ac27dcbcd4aa06131cdbb Mon Sep 17 00:00:00 2001
From: Pavel Vomacka 
Date: Thu, 11 Aug 2016 18:53:55 +0200
Subject: [PATCH] Add 'trusted to auth as user' checkbox

Prerequisite for: https://fedorahosted.org/freeipa/ticket/5764
---
 install/ui/src/freeipa/service.js | 5 +
 1 file changed, 5 insertions(+)

diff --git a/install/ui/src/freeipa/service.js b/install/ui/src/freeipa/service.js
index 35d486605ebfee41d8b3ffa5bb77bf9e72a60c01..30e336c35b8eece2e5e3ef55629d0c98f097fbf5 100644
--- a/install/ui/src/freeipa/service.js
+++ b/install/ui/src/freeipa/service.js
@@ -142,6 +142,11 @@ return {
 acl_param: 'krbticketflags'
 },
 {
+name: 'ipakrboktoauthasdelegate',
+$type: 'checkbox',
+acl_param: 'krbticketflags'
+},
+{
 name: 'ipakrbrequirespreauth',
 $type: 'checkbox',
 acl_param: 'krbticketflags'
-- 
2.5.5

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 0001 Added new authentication method

[Tibor Dudlak]

Hi,

I have edited this patch after review. It should be okay now.

Thank you.

On Thu, Aug 11, 2016 at 7:49 PM, Petr Vobornik  wrote:

> On 08/11/2016 07:21 PM, Martin Basti wrote:
> >
> >
> > On 11.08.2016 18:57, Pavel Vomacka wrote:
> >>
> >>
> >> On 08/11/2016 02:00 PM, Petr Vobornik wrote:
> >>> On 08/11/2016 10:54 AM, Alexander Bokovoy wrote:
>  On Thu, 11 Aug 2016, Jan Cholasta wrote:
> > On 4.8.2016 17:27, Jan Pazdziora wrote:
> >> On Wed, Aug 03, 2016 at 10:29:52AM +0300, Alexander Bokovoy wrote:
> >>> Got it. One thing I would correct, though, -- don't use
> >>> kadmin.local, we
> >>> do support setting ok_as_delegate on the service principals via IPA
> >>> CLI:
> >>> $ ipa service-mod --help |grep -A1 ok-as-delegate
> >>> --ok-as-delegate=BOOL
> >>>Client credentials may be delegated to the
> >>> service
> >> I've tried
> >>
> >>  ipa service-mod --ok-as-delegate=True HTTP/$(hostname)
> >>
> >> but that does not seem to have the same effect as
> >>
> >>  modprinc +ok_to_auth_as_delegate HTTP/ipa.example.test
> >>
> >> -- obtaining the delegated certificated fails.
> > That's because ok_as_delegate and ok_to_auth_as_delegate are
> different
> > flags.
>  Right. The following patch adds ok_to_auth_as_delegate to the service
>  principal.
> 
>  I haven't added any tickets to it yet.
> 
> 
> >>> This might deserve also nice Web UI checkbox similar to "Trusted for
> >>> delegation". CCing Pavel.
> >>>
> >> Here is patch with new checkbox. It is without ticket in commit message
> so
> >> once we will have the ticket I will send another patch witch updated
> commit
> >> message.
> >
> > https://fedorahosted.org/freeipa/newticket
> >
> > ;-)
>
> It's prerequisite for https://fedorahosted.org/freeipa/ticket/5764 so we
> might use that.
> >
> >>
> >>
> >>
> >
> >
> >
>
>
> --
> Petr Vobornik
>
> --
> Manage your subscription for the Freeipa-devel mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-devel
> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
>



-- 
Tibor Dudlák
Intern - Identity management Special Projects
Red Hat
From 9c6c302c8ae2a5108d7ccfe98520c43926fd75bf Mon Sep 17 00:00:00 2001
From: Tiboris 
Date: Tue, 16 Aug 2016 14:13:29 +0200
Subject: [PATCH] Added new authentication method

Addressing ticket https://fedorahosted.org/freeipa/ticket/5764
---
 ipaserver/plugins/xmlserver.py |  3 ++-
 ipaserver/rpcserver.py | 17 +
 2 files changed, 15 insertions(+), 5 deletions(-)

diff --git a/ipaserver/plugins/xmlserver.py b/ipaserver/plugins/xmlserver.py
index d8fe24e0cb407603e9898e934229c9373f3c8b62..1843c0568543951f2c817616d9e988deaab47056 100644
--- a/ipaserver/plugins/xmlserver.py
+++ b/ipaserver/plugins/xmlserver.py
@@ -28,12 +28,13 @@ register = Registry()
 
 
 if api.env.context in ('server', 'lite'):
-from ipaserver.rpcserver import wsgi_dispatch, xmlserver, jsonserver_kerb, jsonserver_session, login_kerberos, login_password, change_password, sync_token, xmlserver_session
+from ipaserver.rpcserver import wsgi_dispatch, xmlserver, jsonserver_kerb, jsonserver_session, login_kerberos, login_x509, login_password, change_password, sync_token, xmlserver_session
 register()(wsgi_dispatch)
 register()(xmlserver)
 register()(jsonserver_kerb)
 register()(jsonserver_session)
 register()(login_kerberos)
+register()(login_x509)
 register()(login_password)
 register()(change_password)
 register()(sync_token)
diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
index d036f3c27521f17709672b830d5aa58167c76b34..b45eb5cca43859f20af9d40a84142cfa42c2caa2 100644
--- a/ipaserver/rpcserver.py
+++ b/ipaserver/rpcserver.py
@@ -857,16 +857,16 @@ class jsonserver_kerb(jsonserver, KerberosWSGIExecutioner):
 key = '/json'
 
 
-class login_kerberos(Backend, KerberosSession, HTTP_Status):
-key = '/session/login_kerberos'
+class KerberosLogin(Backend, KerberosSession, HTTP_Status):
+key = None
 
 def _on_finalize(self):
-super(login_kerberos, self)._on_finalize()
+super(KerberosLogin, self)._on_finalize()
 self.api.Backend.wsgi_dispatch.mount(self, self.key)
 self.kerb_session_on_finalize()
 
 def __call__(self, environ, start_response):
-self.debug('WSGI login_kerberos.__call__:')
+self.debug('WSGI KerberosLogin.__call__:')
 
 # Get the ccache created by mod_auth_gssapi
 user_ccache_name=environ.get('KRB5CCNAME')
@@ -876,6 +876,15 @@ class login_kerberos(Backend, KerberosSession, HTTP_Status):
 
 return self.finalize_kerberos_acquisition('login_kerberos', user_ccache_name, environ, start_response)
 
+
+class login_kerberos(KerberosLogin):
+key = '/session/login_kerberos'
+
+
+class login_x509(KerberosLogin)
+key = 

Re: [Freeipa-devel] [PATCH] 0001 Added new authentication method

[Petr Vobornik]

On 08/11/2016 07:21 PM, Martin Basti wrote:
> 
> 
> On 11.08.2016 18:57, Pavel Vomacka wrote:
>>
>>
>> On 08/11/2016 02:00 PM, Petr Vobornik wrote:
>>> On 08/11/2016 10:54 AM, Alexander Bokovoy wrote:
 On Thu, 11 Aug 2016, Jan Cholasta wrote:
> On 4.8.2016 17:27, Jan Pazdziora wrote:
>> On Wed, Aug 03, 2016 at 10:29:52AM +0300, Alexander Bokovoy wrote:
>>> Got it. One thing I would correct, though, -- don't use
>>> kadmin.local, we
>>> do support setting ok_as_delegate on the service principals via IPA
>>> CLI:
>>> $ ipa service-mod --help |grep -A1 ok-as-delegate
>>> --ok-as-delegate=BOOL
>>>Client credentials may be delegated to the
>>> service
>> I've tried
>>
>>  ipa service-mod --ok-as-delegate=True HTTP/$(hostname)
>>
>> but that does not seem to have the same effect as
>>
>>  modprinc +ok_to_auth_as_delegate HTTP/ipa.example.test
>>
>> -- obtaining the delegated certificated fails.
> That's because ok_as_delegate and ok_to_auth_as_delegate are different
> flags.
 Right. The following patch adds ok_to_auth_as_delegate to the service
 principal.

 I haven't added any tickets to it yet.


>>> This might deserve also nice Web UI checkbox similar to "Trusted for
>>> delegation". CCing Pavel.
>>>
>> Here is patch with new checkbox. It is without ticket in commit message so 
>> once we will have the ticket I will send another patch witch updated commit 
>> message.
> 
> https://fedorahosted.org/freeipa/newticket
> 
> ;-)

It's prerequisite for https://fedorahosted.org/freeipa/ticket/5764 so we
might use that.
> 
>>
>>
>>
> 
> 
> 


-- 
Petr Vobornik

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 0001 Added new authentication method

[Martin Basti]

On 11.08.2016 18:57, Pavel Vomacka wrote:



On 08/11/2016 02:00 PM, Petr Vobornik wrote:

On 08/11/2016 10:54 AM, Alexander Bokovoy wrote:

On Thu, 11 Aug 2016, Jan Cholasta wrote:

On 4.8.2016 17:27, Jan Pazdziora wrote:

On Wed, Aug 03, 2016 at 10:29:52AM +0300, Alexander Bokovoy wrote:

Got it. One thing I would correct, though, -- don't use
kadmin.local, we
do support setting ok_as_delegate on the service principals via IPA
CLI:
$ ipa service-mod --help |grep -A1 ok-as-delegate
--ok-as-delegate=BOOL
   Client credentials may be delegated to the
service

I've tried

 ipa service-mod --ok-as-delegate=True HTTP/$(hostname)

but that does not seem to have the same effect as

 modprinc +ok_to_auth_as_delegate HTTP/ipa.example.test

-- obtaining the delegated certificated fails.

That's because ok_as_delegate and ok_to_auth_as_delegate are different
flags.

Right. The following patch adds ok_to_auth_as_delegate to the service
principal.

I haven't added any tickets to it yet.



This might deserve also nice Web UI checkbox similar to "Trusted for
delegation". CCing Pavel.

Here is patch with new checkbox. It is without ticket in commit 
message so once we will have the ticket I will send another patch 
witch updated commit message.


https://fedorahosted.org/freeipa/newticket

;-)







-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 0001 Added new authentication method

[Pavel Vomacka]

On 08/11/2016 02:00 PM, Petr Vobornik wrote:

On 08/11/2016 10:54 AM, Alexander Bokovoy wrote:

On Thu, 11 Aug 2016, Jan Cholasta wrote:

On 4.8.2016 17:27, Jan Pazdziora wrote:

On Wed, Aug 03, 2016 at 10:29:52AM +0300, Alexander Bokovoy wrote:

Got it. One thing I would correct, though, -- don't use
kadmin.local, we
do support setting ok_as_delegate on the service principals via IPA
CLI:
$ ipa service-mod --help |grep -A1 ok-as-delegate
--ok-as-delegate=BOOL
   Client credentials may be delegated to the
service

I've tried

 ipa service-mod --ok-as-delegate=True HTTP/$(hostname)

but that does not seem to have the same effect as

 modprinc +ok_to_auth_as_delegate HTTP/ipa.example.test

-- obtaining the delegated certificated fails.

That's because ok_as_delegate and ok_to_auth_as_delegate are different
flags.

Right. The following patch adds ok_to_auth_as_delegate to the service
principal.

I haven't added any tickets to it yet.



This might deserve also nice Web UI checkbox similar to "Trusted for
delegation". CCing Pavel.

Here is patch with new checkbox. It is without ticket in commit message 
so once we will have the ticket I will send another patch witch updated 
commit message.


--
Pavel^3 Vomacka

From 6cb9d1152789c2d015b3a85ded622980241a2137 Mon Sep 17 00:00:00 2001
From: Pavel Vomacka 
Date: Thu, 11 Aug 2016 18:53:55 +0200
Subject: [PATCH] Add 'trusted to auth as user' checkbox

---
 install/ui/src/freeipa/service.js | 5 +
 1 file changed, 5 insertions(+)

diff --git a/install/ui/src/freeipa/service.js b/install/ui/src/freeipa/service.js
index 35d486605ebfee41d8b3ffa5bb77bf9e72a60c01..30e336c35b8eece2e5e3ef55629d0c98f097fbf5 100644
--- a/install/ui/src/freeipa/service.js
+++ b/install/ui/src/freeipa/service.js
@@ -142,6 +142,11 @@ return {
 acl_param: 'krbticketflags'
 },
 {
+name: 'ipakrboktoauthasdelegate',
+$type: 'checkbox',
+acl_param: 'krbticketflags'
+},
+{
 name: 'ipakrbrequirespreauth',
 $type: 'checkbox',
 acl_param: 'krbticketflags'
-- 
2.5.5

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 0001 Added new authentication method

[Petr Vobornik]

On 08/11/2016 10:54 AM, Alexander Bokovoy wrote:
> On Thu, 11 Aug 2016, Jan Cholasta wrote:
>> On 4.8.2016 17:27, Jan Pazdziora wrote:
>>> On Wed, Aug 03, 2016 at 10:29:52AM +0300, Alexander Bokovoy wrote:

 Got it. One thing I would correct, though, -- don't use
 kadmin.local, we
 do support setting ok_as_delegate on the service principals via IPA
 CLI:
 $ ipa service-mod --help |grep -A1 ok-as-delegate
 --ok-as-delegate=BOOL
   Client credentials may be delegated to the
 service
>>>
>>> I've tried
>>>
>>> ipa service-mod --ok-as-delegate=True HTTP/$(hostname)
>>>
>>> but that does not seem to have the same effect as
>>>
>>> modprinc +ok_to_auth_as_delegate HTTP/ipa.example.test
>>>
>>> -- obtaining the delegated certificated fails.
>>
>> That's because ok_as_delegate and ok_to_auth_as_delegate are different
>> flags.
> Right. The following patch adds ok_to_auth_as_delegate to the service
> principal.
> 
> I haven't added any tickets to it yet.
> 
> 

This might deserve also nice Web UI checkbox similar to "Trusted for
delegation". CCing Pavel.

-- 
Petr Vobornik

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 0001 Added new authentication method

[Alexander Bokovoy]

On Thu, 11 Aug 2016, Jan Cholasta wrote:

On 4.8.2016 17:27, Jan Pazdziora wrote:

On Wed, Aug 03, 2016 at 10:29:52AM +0300, Alexander Bokovoy wrote:


Got it. One thing I would correct, though, -- don't use kadmin.local, we
do support setting ok_as_delegate on the service principals via IPA CLI:
$ ipa service-mod --help |grep -A1 ok-as-delegate
--ok-as-delegate=BOOL
  Client credentials may be delegated to the service


I've tried

ipa service-mod --ok-as-delegate=True HTTP/$(hostname)

but that does not seem to have the same effect as

modprinc +ok_to_auth_as_delegate HTTP/ipa.example.test

-- obtaining the delegated certificated fails.


That's because ok_as_delegate and ok_to_auth_as_delegate are different 
flags.

Right. The following patch adds ok_to_auth_as_delegate to the service
principal.

I haven't added any tickets to it yet.
--
/ Alexander Bokovoy
From 9af1c479cf8d1862c001fccd5345bd93dd6e54a8 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy 
Date: Thu, 11 Aug 2016 11:52:05 +0300
Subject: [PATCH 6/6] service: add flag to allow S4U2Self

---
 API.txt  | 12 
 ipaserver/plugins/service.py |  7 +++
 2 files changed, 15 insertions(+), 4 deletions(-)

diff --git a/API.txt b/API.txt
index 535d8ec..5b83bfb 100644
--- a/API.txt
+++ b/API.txt
@@ -2260,7 +2260,7 @@ output: Output('summary', type=[, ])
 output: Output('value', type=[])
 output: Output('warning', type=[, , ])
 command: host_add/1
-args: 1,24,3
+args: 1,25,3
 arg: Str('fqdn', cli_name='hostname')
 option: Str('addattr*', cli_name='addattr')
 option: Flag('all', autofill=True, cli_name='all', default=False)
@@ -2269,6 +2269,7 @@ option: Flag('force', autofill=True, default=False)
 option: Str('ip_address?')
 option: Str('ipaassignedidview?')
 option: Bool('ipakrbokasdelegate?', cli_name='ok_as_delegate')
+option: Bool('ipakrboktoauthasdelegate?', cli_name='ok_to_auth_as_delegate')
 option: Bool('ipakrbrequirespreauth?', cli_name='requires_pre_auth')
 option: Str('ipasshpubkey*', cli_name='sshpubkey')
 option: Str('krbprincipalauthind*', cli_name='auth_ind')
@@ -2437,7 +2438,7 @@ output: ListOfEntries('result')
 output: Output('summary', type=[, ])
 output: Output('truncated', type=[])
 command: host_mod/1
-args: 1,25,3
+args: 1,26,3
 arg: Str('fqdn', cli_name='hostname')
 option: Str('addattr*', cli_name='addattr')
 option: Flag('all', autofill=True, cli_name='all', default=False)
@@ -2445,6 +2446,7 @@ option: Str('delattr*', cli_name='delattr')
 option: Str('description?', autofill=False, cli_name='desc')
 option: Str('ipaassignedidview?', autofill=False)
 option: Bool('ipakrbokasdelegate?', autofill=False, cli_name='ok_as_delegate')
+option: Bool('ipakrboktoauthasdelegate?', autofill=False, 
cli_name='ok_to_auth_as_delegate')
 option: Bool('ipakrbrequirespreauth?', autofill=False, 
cli_name='requires_pre_auth')
 option: Str('ipasshpubkey*', autofill=False, cli_name='sshpubkey')
 option: Str('krbprincipalauthind*', autofill=False, cli_name='auth_ind')
@@ -4293,13 +4295,14 @@ output: Entry('result')
 output: Output('summary', type=[, ])
 output: PrimaryKey('value')
 command: service_add/1
-args: 1,12,3
+args: 1,13,3
 arg: Principal('krbcanonicalname', cli_name='canonical_principal')
 option: Str('addattr*', cli_name='addattr')
 option: Flag('all', autofill=True, cli_name='all', default=False)
 option: Flag('force', autofill=True, default=False)
 option: StrEnum('ipakrbauthzdata*', cli_name='pac_type', values=[u'MS-PAC', 
u'PAD', u'NONE'])
 option: Bool('ipakrbokasdelegate?', cli_name='ok_as_delegate')
+option: Bool('ipakrboktoauthasdelegate?', cli_name='ok_to_auth_as_delegate')
 option: Bool('ipakrbrequirespreauth?', cli_name='requires_pre_auth')
 option: Str('krbprincipalauthind*', cli_name='auth_ind')
 option: Flag('no_members', autofill=True, default=False)
@@ -4435,13 +4438,14 @@ output: ListOfEntries('result')
 output: Output('summary', type=[, ])
 output: Output('truncated', type=[])
 command: service_mod/1
-args: 1,14,3
+args: 1,15,3
 arg: Principal('krbcanonicalname', cli_name='canonical_principal')
 option: Str('addattr*', cli_name='addattr')
 option: Flag('all', autofill=True, cli_name='all', default=False)
 option: Str('delattr*', cli_name='delattr')
 option: StrEnum('ipakrbauthzdata*', autofill=False, cli_name='pac_type', 
values=[u'MS-PAC', u'PAD', u'NONE'])
 option: Bool('ipakrbokasdelegate?', autofill=False, cli_name='ok_as_delegate')
+option: Bool('ipakrboktoauthasdelegate?', autofill=False, 
cli_name='ok_to_auth_as_delegate')
 option: Bool('ipakrbrequirespreauth?', autofill=False, 
cli_name='requires_pre_auth')
 option: Str('krbprincipalauthind*', autofill=False, cli_name='auth_ind')
 option: Principal('krbprincipalname*', autofill=False, cli_name='principal')
diff --git a/ipaserver/plugins/service.py b/ipaserver/plugins/service.py
index a44dcaa..04d1916 100644
--- a/ipaserver/plugins/service.py
+++ b/ipaserver/plugins/service.py
@@ 

Re: [Freeipa-devel] [PATCH] 0001 Added new authentication method

[Jan Cholasta]

On 4.8.2016 17:27, Jan Pazdziora wrote:

On Wed, Aug 03, 2016 at 10:29:52AM +0300, Alexander Bokovoy wrote:


Got it. One thing I would correct, though, -- don't use kadmin.local, we
do support setting ok_as_delegate on the service principals via IPA CLI:
$ ipa service-mod --help |grep -A1 ok-as-delegate
 --ok-as-delegate=BOOL
   Client credentials may be delegated to the service


I've tried

ipa service-mod --ok-as-delegate=True HTTP/$(hostname)

but that does not seem to have the same effect as

modprinc +ok_to_auth_as_delegate HTTP/ipa.example.test

-- obtaining the delegated certificated fails.


That's because ok_as_delegate and ok_to_auth_as_delegate are different 
flags.


--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 0001 Added new authentication method

[Jan Pazdziora]

On Wed, Aug 03, 2016 at 10:29:52AM +0300, Alexander Bokovoy wrote:
>
> Got it. One thing I would correct, though, -- don't use kadmin.local, we
> do support setting ok_as_delegate on the service principals via IPA CLI:
> $ ipa service-mod --help |grep -A1 ok-as-delegate
>  --ok-as-delegate=BOOL
>Client credentials may be delegated to the service

I've tried

ipa service-mod --ok-as-delegate=True HTTP/$(hostname)

but that does not seem to have the same effect as

modprinc +ok_to_auth_as_delegate HTTP/ipa.example.test

-- obtaining the delegated certificated fails.

-- 
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 0001 Added new authentication method

[Alexander Bokovoy]

On Wed, 03 Aug 2016, Jan Pazdziora wrote:

On Tue, Aug 02, 2016 at 05:57:38PM +0300, Alexander Bokovoy wrote:

On Mon, 01 Aug 2016, Rob Crittenden wrote:
>
> How/where does the UI get a Kerberos ticket for the user?
That's indeed a problem -- even with the PKINIT support in KDC that Simo
is polishing up now, we don't have a way to obtain a ticket on behalf of
the user because Apache would terminate the SSL negotiation and we
wouldn't be able to use user's certificate to do PKINIT negotiation to
obtain a ticket as a user and then continue running on its behalf.
Neither we would get any Kerberos ticket from the client side.


The current idea is to use S4U2Self and the GssapiImpersonate feature
of mod_auth_gssapi 1.4.0, similar to the approach from

http://www.freeipa.org/page/V4/External_Authentication/NSS_Impersonation

Tibor has done the investigation for FreeIPA and is working on some
polished instructions for the FreeIPA WebUI.

Got it. One thing I would correct, though, -- don't use kadmin.local, we
do support setting ok_as_delegate on the service principals via IPA CLI:
$ ipa service-mod --help |grep -A1 ok-as-delegate
 --ok-as-delegate=BOOL
   Client credentials may be delegated to the service

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 0001 Added new authentication method

[Jan Pazdziora]

On Tue, Aug 02, 2016 at 05:57:38PM +0300, Alexander Bokovoy wrote:
> On Mon, 01 Aug 2016, Rob Crittenden wrote:
> > 
> > How/where does the UI get a Kerberos ticket for the user?
> That's indeed a problem -- even with the PKINIT support in KDC that Simo
> is polishing up now, we don't have a way to obtain a ticket on behalf of
> the user because Apache would terminate the SSL negotiation and we
> wouldn't be able to use user's certificate to do PKINIT negotiation to
> obtain a ticket as a user and then continue running on its behalf.
> Neither we would get any Kerberos ticket from the client side.

The current idea is to use S4U2Self and the GssapiImpersonate feature
of mod_auth_gssapi 1.4.0, similar to the approach from

http://www.freeipa.org/page/V4/External_Authentication/NSS_Impersonation

Tibor has done the investigation for FreeIPA and is working on some
polished instructions for the FreeIPA WebUI.

-- 
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 0001 Added new authentication method

[Alexander Bokovoy]

On Mon, 01 Aug 2016, Rob Crittenden wrote:

Tibor Dudlak wrote:

Hi,

I have added few lines to code to make optional login with personal
certificate (or with smartcard) possible. Some ui changes has to be
made. It is not cosher but it definitely work.

Thank you, Tibor



What about the Apache changes to require a certificate in 
/ipa/session/login_x509?


Does/will this only support a specially crafted certificate subject?

How/where does the UI get a Kerberos ticket for the user?

That's indeed a problem -- even with the PKINIT support in KDC that Simo
is polishing up now, we don't have a way to obtain a ticket on behalf of
the user because Apache would terminate the SSL negotiation and we
wouldn't be able to use user's certificate to do PKINIT negotiation to
obtain a ticket as a user and then continue running on its behalf.
Neither we would get any Kerberos ticket from the client side.
--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code