[Freeipa-devel] CA ACL enforcement when authenticated as root
Fraser Tweedale
ftweedal at redhat.com
Wed Jul 1 06:06:11 UTC 2015
Hi everyone,
With the addition of CA ACLs, there are now two levels of
permissions checked by the `cert-request' command:
- LDAP permission checks. This check is performed against the bind
principal; `admin' has permission to write the userCertificate
attribute of any principal.
- CA ACLs: whether issuing a certificate to a particular principal
using a particular profile is permitted. This check is performed
against the principal for whom the certificate is being requested,
which might or might not be the bind principal.
Some questions came up after the recent GSS IdM test day:
1) It was requested to add a caacl rule to allow `admin' to issue a
certificite for itself via any profile. This is straightforward,
but what are the use cases for the `admin' account issuing
certificates to itself?
2) When `admin' (as bind principal) requests a certificate for
another principal and there is no CA ACL allowing issuance of a
certificate for that principal+profile, the request is currently
rejected. Should we change the behaviour to allow `admin' to issue
a certificate to any principal, using any profile? (This would be
accomplished by skipping CA ACL checks in `cert-request' when
authenticated as admin.)
(Note, if the answer to (2) is "yes", (1) is subsumed.)
Cheers,
Fraser
More information about the Freeipa-devel
mailing list