Hi Alexander, That is great!
I hope that someone can find this topic and use it as reference as it tool us some time to find the other one :) Thanks! Cheers, Matt 2013/7/29 Alexander Bokovoy <aboko...@redhat.com> > Hi Matt, > > > On Mon, 29 Jul 2013, Matt . wrote: > >> Hi all, >> >> Refering to this topic: >> https://www.redhat.com/**archives/freeipa-users/2013-**July/msg00318.html<https://www.redhat.com/archives/freeipa-users/2013-July/msg00318.html> >> >> We are no able to do a show_user from a webserver on an IPA server, but >> user_add gives a problem in rights. >> >> On the IPA server there is added to the services: >> HTTP/test-webserver.dev.**domain.local@DEV.DOMAIN.LOCAL<** >> https://test-zip.dev.msp.**cullie.local/ipa/ui/#HTTP/** >> test-zip-2.dev.msp.cullie.**lo...@dev.msp.CULLIE.LOCAL<https://test-zip.dev.msp.cullie.local/ipa/ui/#HTTP/test-zip-2.dev.msp.cullie.lo...@dev.msp.CULLIE.LOCAL> >> > >> >> >> We installed mod_auth_kerb on the webserver and the IPA-server and created >> a keytab also on both servers. >> <https://test-zip.dev.msp.**cullie.local/ipa/ui/#HTTP/** >> test-zip-2.dev.msp.cullie.**lo...@dev.msp.CULLIE.LOCAL<https://test-zip.dev.msp.cullie.local/ipa/ui/#HTTP/test-zip-2.dev.msp.cullie.lo...@dev.msp.CULLIE.LOCAL> >> > >> >> >> With our script we still get the following error because the rights that >> the user has: >> >> ipa: ERROR: Insufficient access: Insufficient 'add' privilege to the >> 'userPassword' attribute >> >> When we add a user "apache" to the IPA server and give it admin rights and >> set it to the "User Administrator" Role we still don't have the right >> privileges to do so. >> >> We need to setup a S4U2Proxy where we thought of that we did by installing >> the mod_auth_kerb on the webserver, but this seems to be on the IPA >> servers. >> >> The same question for the keytab, where do we use it when we use a simple >> webserver form to add a user ? It's the same as in the topic here where >> there is spoken about the "User privileges": >> http://comments.gmane.org/**gmane.linux.redhat.freeipa.**user/8244<http://comments.gmane.org/gmane.linux.redhat.freeipa.user/8244> >> >> What do we have to do on which server ? We have put a lot of time into the >> user_show part and that works, now westill need the user_add (and so on). >> >> Has anyone some sort of sample/howto for this ? >> > As I said on IRC, I'm working on the article which explains all that. > Stay tuned. > > > -- > / Alexander Bokovoy >
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
