Hi Dimitri, It's a good tuturial but I'm kinda stuck (and new to that part)
What we seem to need is: A -> B -> C -> D A= user(running one) B= Webserver C=IPAserver D= LDAP on IPAserver I thought we didn't need the C -> D part because this is what IPA does. We actually need the A -> B -> C part exectured from a php script to add a user with user_add. More details about that are welcome. Thanks! Cheers, Matt 2013/7/30 Dmitri Pal <[email protected]> > On 07/29/2013 03:02 PM, Alexander Bokovoy wrote: > > Hi! > > > > On Mon, 29 Jul 2013, Matt . wrote: > >> Hi Alexander, > >> > >> That is great! > >> > >> I hope that someone can find this topic and use it as reference as it > >> tool > >> us some time to find the other one :) > > You can find my blog post here: > > > http://vda.li/en/posts/2013/07/29/Setting-up-S4U2Proxy-with-FreeIPA/index.html > > > > > > Hope it helps. I've tested the scenario on Fedora 19. > > I added it to the HOWTO section on wiki. > http://www.freeipa.org/page/Howto/Setting_up_S4U2Proxy_with_FreeIPA > > > > >> > >> Thanks! > >> > >> Cheers, > >> > >> Matt > >> > >> 2013/7/29 Alexander Bokovoy <[email protected]> > >> > >>> Hi Matt, > >>> > >>> > >>> On Mon, 29 Jul 2013, Matt . wrote: > >>> > >>>> Hi all, > >>>> > >>>> Refering to this topic: > >>>> > https://www.redhat.com/**archives/freeipa-users/2013-**July/msg00318.html< > https://www.redhat.com/archives/freeipa-users/2013-July/msg00318.html> > >>>> > >>>> > >>>> We are no able to do a show_user from a webserver on an IPA server, > >>>> but > >>>> user_add gives a problem in rights. > >>>> > >>>> On the IPA server there is added to the services: > >>>> HTTP/test-webserver.dev.**[email protected]<** > >>>> https://test-zip.dev.msp.**cullie.local/ipa/ui/#HTTP/** > >>>> test-zip-2.dev.msp.cullie.**[email protected]< > https://test-zip.dev.msp.cullie.local/ipa/ui/#HTTP/[email protected] > > > >>>> > >>>> > > >>>> > >>>> > >>>> We installed mod_auth_kerb on the webserver and the IPA-server and > >>>> created > >>>> a keytab also on both servers. > >>>> <https://test-zip.dev.msp.**cullie.local/ipa/ui/#HTTP/** > >>>> test-zip-2.dev.msp.cullie.**[email protected]< > https://test-zip.dev.msp.cullie.local/ipa/ui/#HTTP/[email protected] > > > >>>> > >>>> > > >>>> > >>>> > >>>> With our script we still get the following error because the rights > >>>> that > >>>> the user has: > >>>> > >>>> ipa: ERROR: Insufficient access: Insufficient 'add' privilege to the > >>>> 'userPassword' attribute > >>>> > >>>> When we add a user "apache" to the IPA server and give it admin > >>>> rights and > >>>> set it to the "User Administrator" Role we still don't have the right > >>>> privileges to do so. > >>>> > >>>> We need to setup a S4U2Proxy where we thought of that we did by > >>>> installing > >>>> the mod_auth_kerb on the webserver, but this seems to be on the IPA > >>>> servers. > >>>> > >>>> The same question for the keytab, where do we use it when we use a > >>>> simple > >>>> webserver form to add a user ? It's the same as in the topic here > >>>> where > >>>> there is spoken about the "User privileges": > >>>> http://comments.gmane.org/**gmane.linux.redhat.freeipa.**user/8244< > http://comments.gmane.org/gmane.linux.redhat.freeipa.user/8244> > >>>> > >>>> > >>>> What do we have to do on which server ? We have put a lot of time > >>>> into the > >>>> user_show part and that works, now westill need the user_add (and > >>>> so on). > >>>> > >>>> Has anyone some sort of sample/howto for this ? > >>>> > >>> As I said on IRC, I'm working on the article which explains all that. > >>> Stay tuned. > >>> > >>> > >>> -- > >>> / Alexander Bokovoy > >>> > > > > > > > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager for IdM portfolio > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > _______________________________________________ > Freeipa-users mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/freeipa-users >
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
