On Tue, 30 Jul 2013, Dmitri Pal wrote:
On 07/30/2013 08:17 AM, Matt . wrote:
Hi Dimitri,
It's a good tuturial but I'm kinda stuck (and new to that part)
What we seem to need is:
A -> B -> C -> D
A= user(running one) B= Webserver C=IPAserver D= LDAP on IPAserver
I thought we didn't need the C -> D part because this is what IPA
does. We actually need the A -> B -> C part exectured from a php
script to add a user with user_add.
More details about that are welcome.
You use the article but instead of accessing LDAP directly you need to
access ipa web sever because you will be running IPA commands and not
LDAP queries.
So you instead of using |ldap/ipa.example.com| principal as outlined in
the article you configure aquision of tickets for |http/ipa.example.com|.
Makes sense?
Yes and Matt actually solved his problem on IRC and now is happily deploying
his servers. :)
I'll extend the article to cover the case when you need to talk to both
LDAP and IPA server XML-RPC/JSON API.
Ideally we need to introduce some commands to manage delegations between
services. An RFE ticket for CLI?
Thanks!
Cheers,
Matt
2013/7/30 Dmitri Pal <d...@redhat.com <mailto:d...@redhat.com>>
On 07/29/2013 03:02 PM, Alexander Bokovoy wrote:
> Hi!
>
> On Mon, 29 Jul 2013, Matt . wrote:
>> Hi Alexander,
>>
>> That is great!
>>
>> I hope that someone can find this topic and use it as reference
as it
>> tool
>> us some time to find the other one :)
> You can find my blog post here:
>
http://vda.li/en/posts/2013/07/29/Setting-up-S4U2Proxy-with-FreeIPA/index.html
>
>
> Hope it helps. I've tested the scenario on Fedora 19.
I added it to the HOWTO section on wiki.
http://www.freeipa.org/page/Howto/Setting_up_S4U2Proxy_with_FreeIPA
>
>>
>> Thanks!
>>
>> Cheers,
>>
>> Matt
>>
>> 2013/7/29 Alexander Bokovoy <aboko...@redhat.com
<mailto:aboko...@redhat.com>>
>>
>>> Hi Matt,
>>>
>>>
>>> On Mon, 29 Jul 2013, Matt . wrote:
>>>
>>>> Hi all,
>>>>
>>>> Refering to this topic:
>>>>
https://www.redhat.com/**archives/freeipa-users/2013-**July/msg00318.html<https://www.redhat.com/archives/freeipa-users/2013-July/msg00318.html>
>>>>
>>>>
>>>> We are no able to do a show_user from a webserver on an IPA
server,
>>>> but
>>>> user_add gives a problem in rights.
>>>>
>>>> On the IPA server there is added to the services:
>>>> HTTP/test-webserver.dev.**domain.local@DEV.DOMAIN.LOCAL<**
>>>> https://test-zip.dev.msp.**cullie.local/ipa/ui/#HTTP/**
>>>>
test-zip-2.dev.msp.cullie.**lo...@dev.msp.CULLIE.LOCAL<https://test-zip.dev.msp.cullie.local/ipa/ui/#HTTP/test-zip-2.dev.msp.cullie.lo...@dev.msp.CULLIE.LOCAL>
>>>>
>>>> >
>>>>
>>>>
>>>> We installed mod_auth_kerb on the webserver and the
IPA-server and
>>>> created
>>>> a keytab also on both servers.
>>>> <https://test-zip.dev.msp.**cullie.local/ipa/ui/#HTTP/**
>>>>
test-zip-2.dev.msp.cullie.**lo...@dev.msp.CULLIE.LOCAL<https://test-zip.dev.msp.cullie.local/ipa/ui/#HTTP/test-zip-2.dev.msp.cullie.lo...@dev.msp.CULLIE.LOCAL>
>>>>
>>>> >
>>>>
>>>>
>>>> With our script we still get the following error because the
rights
>>>> that
>>>> the user has:
>>>>
>>>> ipa: ERROR: Insufficient access: Insufficient 'add' privilege
to the
>>>> 'userPassword' attribute
>>>>
>>>> When we add a user "apache" to the IPA server and give it admin
>>>> rights and
>>>> set it to the "User Administrator" Role we still don't have
the right
>>>> privileges to do so.
>>>>
>>>> We need to setup a S4U2Proxy where we thought of that we did by
>>>> installing
>>>> the mod_auth_kerb on the webserver, but this seems to be on
the IPA
>>>> servers.
>>>>
>>>> The same question for the keytab, where do we use it when we
use a
>>>> simple
>>>> webserver form to add a user ? It's the same as in the topic here
>>>> where
>>>> there is spoken about the "User privileges":
>>>>
http://comments.gmane.org/**gmane.linux.redhat.freeipa.**user/8244<http://comments.gmane.org/gmane.linux.redhat.freeipa.user/8244>
>>>>
>>>>
>>>> What do we have to do on which server ? We have put a lot of time
>>>> into the
>>>> user_show part and that works, now westill need the user_add
(and
>>>> so on).
>>>>
>>>> Has anyone some sort of sample/howto for this ?
>>>>
>>> As I said on IRC, I'm working on the article which explains
all that.
>>> Stay tuned.
>>>
>>>
>>> --
>>> / Alexander Bokovoy
>>>
>
>
>
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/ <http://www.redhat.com/carveoutcosts/>
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com <mailto:Freeipa-users@redhat.com>
https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
--
/ Alexander Bokovoy
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
