[Freeipa-devel] Unifying the PKI and IPA Directory Server instances
Ade Lee
alee at redhat.com
Thu Nov 3 15:18:12 UTC 2011
On Thu, 2011-11-03 at 09:22 -0400, Rob Crittenden wrote:
> Ade Lee wrote:
> > On Wed, 2011-11-02 at 16:03 -0400, Adam Young wrote:
> >> To clarify: there are two types of Data stored in the PKI CA DS
> >> instances. One is Users and groups (IdM), and the other is
> >> certificates and requests.
> >>
> >> The CA currently administers its own users: creates, add deletes, add
> >> privs and so forth. If we extract the IdM objects from the CA
> >> control, we will need to build another mechanism to manage them.
> >>
> >> The Certificates will stay in their own suffix. I don't think anyone
> >> disagrees about this.
> >>
> >> I'm trying to think through the steps of using the IPA user database for
> >> PKI. If I undertand the end state, the general flow will be driven from
> >> ipa-server-install and will look like this:
> >>
> >> 1. Create a unified DS instance. We can continue to name it the way
> >> that IPA does: All caps the hostname.
> >> 2. Apply the LDAP schema LDIFs to it. At this point, we probably want
> >> to create the whole IPA schema, and the cmsUser as well
> >
> > For clarification, cmsuser is just an object that is defined in the PKI
> > schema, not the actual admin user created in the install itself.
> >
> > It may be advantageous to actually pre-create this user when applying
> > schema LDIFS and just have pkisilent add the user certs.
>
> The description attribute needs to store per-instance specific
> information such as the requestId. Unless you mean just adding userstate
> and usertype.
>
In dogtag, I believe we have used the description attribute to store
whatever the user provided to describe the user/group. This is more
relevant to the console.
As IPA will be managing users and groups, then it can also manage this
attribute.
> >> 3. Call PKISilent (or equivalent) passing the info for the Unified
> >> directory server instance, to include the IPA tree for the users.
> >> 4. PKISilent will create the PKI admin user, to include its
> >> certificiate in the IPA tree. This user will be half baked from an IPA
> >> perspective, but will allow administration of the CA.
> >
> > Pre-creating this user may solve this problem. You can pre-create a
> > user with all the required IPA and PKI attributes and just have
> > pkisilent add the user cert needed.
> >
> > As we will be running as directory manager in this case, we will
> > permissions to do this.
> >
> >> 5. Create a PKIDirectory Manager account that has complete control over
> >> only the PKI suffix, and not the IPA suffix. Modify the PKI code to
> >> use only this account. This account should be able to authenticate
> >> against the Dir Srv using a client certificate, stored in the PKI
> >> specific NSS database.
> >
> > This of course involves setting up the relevant ACIs. We may want to
> > consider the reverse. That only certain IPA accounts should have access
> > to the PKI data.
>
> Which still involves ACIs, right?
Right
>
> >> 6. Restart the CA.
> >> 7. Continue the IPA server install from the. Fix up the Admin user so
> >> that it works for IPA.
> >
> > Not needed if we pre-populate as mentioned above.
> >
> >> 8. Disable the Directory Manager's password. From here on out, access
> >> to the Dir Srv should be either certificate or Keytab only.
> >>
> >>
> >> After IPA is up and running, the management of the User Database is done
> >> by IPA.
> >> One thing that several people have asked for in IPA is the ability to
> >> manage external Roles: ones that don't map to ACIs. PKI has this
> >> requirement as well. There are a couple approaches we could take:
> >>
> >> 1. Attempt to use the current Role mechanism in IPA. This gets hidden
> >> to an outside user, but that should be OK. Checking if a user is a PKI
> >> Admin, Agent, or Auditor should be done only by a privileged account anyway.
> >>
> >> 2. Use a User Group: PKIAdmins, PKIAgents, and PKIAuditors. This
> >> is what I would suggest.
> >>
> >> 3. Create an external mechanism.
> >>
> >>
> >> Once IPA has assumed control of the IdM DB, we will still need to be
> >> able to get user certificates into the user records CMSUser field. I
> >> do not know CS well enough to say how that would work, but I assume it
> >> will be one of these two mechanisms:
> >>
> >> 1. Use the CA Administrative interface to modify an existing user to
> >> have the certificate
> >> or
> >> 2. Add a mechanism to IPA to request and apply the certificate to the
> >> IPA User.
> >>
> >> I'm guessing that the flow would be something like this:
> >>
> >> 1. Create a user (ipa user-add)
> >> 2. Assign them to the PKIAgents groups
> >> 3. Call the CA Admin interface to make the user an agent.
> >>
> >> If we do it this way, the PKI instance will need to be able to modify
> >> the IPA user record. Alternatively:
> >>
> >> 1. ipa user-add
> >> 2. ipa group-add-member
> >> 3. ipa user-cert
> >
> > So, a user becomes an agent on the ca by having a certificate in the
> > user record and being a member of the relevant admin, agent or auditor
> > group.
> >
> > I see this as follows:
> > 1. ipa cms-user-add (add a user and add the auxilliary cmsuser object
> > class)
> > 2. ipa user-cert (contact the ca and get a certificate for this user,
> > add this cert to the user record in the ipa database)
> > 3. ipa group-add-member (add the user to the relevant group)
> >
> > At no point does PKI need to modify anything in the IPA database.
>
> And it never should IMHO. We need to maintain the idea that the CA is
> some black box that we can poke at from time to time to get data but I'd
> prefer to keep them discrete.
>
Yes - me too.
> >>
> >> As an added bonus, we get user certs.
> >>
> >>
> >> One discussion we've had on the side is about scalability. As the
> >> Databases increase in size, it might become impractical to fully
> >> synchroize the user database over to a machine that is dedicated to
> >> Certificate operations. For example, we might have a public facing
> >> machine in the DMZ that is servering CRLs and OCSP to the world. This
> >> machine would only need the subset of users that can act as PKI
> >> admins. In this case, we might build a custom script for replicating a
> >> subset of the IPA data one direction only: from one of the fully
> >> replicated instance to the DMZ instance. This is not something we
> >> foresee doing in a near term release, but should be discussed and
> >> fleshed out.
> >>
> >> _______________________________________________
> >> Freeipa-devel mailing list
> >> Freeipa-devel at redhat.com
> >> https://www.redhat.com/mailman/listinfo/freeipa-devel
> >
> >
> > _______________________________________________
> > Freeipa-devel mailing list
> > Freeipa-devel at redhat.com
> > https://www.redhat.com/mailman/listinfo/freeipa-devel
>
More information about the Freeipa-devel
mailing list