On 07/29/2013 03:02 PM, Alexander Bokovoy wrote: > Hi! > > On Mon, 29 Jul 2013, Matt . wrote: >> Hi Alexander, >> >> That is great! >> >> I hope that someone can find this topic and use it as reference as it >> tool >> us some time to find the other one :) > You can find my blog post here: > http://vda.li/en/posts/2013/07/29/Setting-up-S4U2Proxy-with-FreeIPA/index.html > > > Hope it helps. I've tested the scenario on Fedora 19.
I added it to the HOWTO section on wiki. http://www.freeipa.org/page/Howto/Setting_up_S4U2Proxy_with_FreeIPA > >> >> Thanks! >> >> Cheers, >> >> Matt >> >> 2013/7/29 Alexander Bokovoy <[email protected]> >> >>> Hi Matt, >>> >>> >>> On Mon, 29 Jul 2013, Matt . wrote: >>> >>>> Hi all, >>>> >>>> Refering to this topic: >>>> https://www.redhat.com/**archives/freeipa-users/2013-**July/msg00318.html<https://www.redhat.com/archives/freeipa-users/2013-July/msg00318.html> >>>> >>>> >>>> We are no able to do a show_user from a webserver on an IPA server, >>>> but >>>> user_add gives a problem in rights. >>>> >>>> On the IPA server there is added to the services: >>>> HTTP/test-webserver.dev.**[email protected]<** >>>> https://test-zip.dev.msp.**cullie.local/ipa/ui/#HTTP/** >>>> test-zip-2.dev.msp.cullie.**[email protected]<https://test-zip.dev.msp.cullie.local/ipa/ui/#HTTP/[email protected]> >>>> >>>> > >>>> >>>> >>>> We installed mod_auth_kerb on the webserver and the IPA-server and >>>> created >>>> a keytab also on both servers. >>>> <https://test-zip.dev.msp.**cullie.local/ipa/ui/#HTTP/** >>>> test-zip-2.dev.msp.cullie.**[email protected]<https://test-zip.dev.msp.cullie.local/ipa/ui/#HTTP/[email protected]> >>>> >>>> > >>>> >>>> >>>> With our script we still get the following error because the rights >>>> that >>>> the user has: >>>> >>>> ipa: ERROR: Insufficient access: Insufficient 'add' privilege to the >>>> 'userPassword' attribute >>>> >>>> When we add a user "apache" to the IPA server and give it admin >>>> rights and >>>> set it to the "User Administrator" Role we still don't have the right >>>> privileges to do so. >>>> >>>> We need to setup a S4U2Proxy where we thought of that we did by >>>> installing >>>> the mod_auth_kerb on the webserver, but this seems to be on the IPA >>>> servers. >>>> >>>> The same question for the keytab, where do we use it when we use a >>>> simple >>>> webserver form to add a user ? It's the same as in the topic here >>>> where >>>> there is spoken about the "User privileges": >>>> http://comments.gmane.org/**gmane.linux.redhat.freeipa.**user/8244<http://comments.gmane.org/gmane.linux.redhat.freeipa.user/8244> >>>> >>>> >>>> What do we have to do on which server ? We have put a lot of time >>>> into the >>>> user_show part and that works, now westill need the user_add (and >>>> so on). >>>> >>>> Has anyone some sort of sample/howto for this ? >>>> >>> As I said on IRC, I'm working on the article which explains all that. >>> Stay tuned. >>> >>> >>> -- >>> / Alexander Bokovoy >>> > > > -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
