[Freeipa-devel] CA ACL enforcement when authenticated as root
Fraser Tweedale
ftweedal at redhat.com
Fri Jul 3 14:32:40 UTC 2015
On Wed, Jul 01, 2015 at 04:06:11PM +1000, Fraser Tweedale wrote:
> Hi everyone,
>
> With the addition of CA ACLs, there are now two levels of
> permissions checked by the `cert-request' command:
>
> - LDAP permission checks. This check is performed against the bind
> principal; `admin' has permission to write the userCertificate
> attribute of any principal.
>
> - CA ACLs: whether issuing a certificate to a particular principal
> using a particular profile is permitted. This check is performed
> against the principal for whom the certificate is being requested,
> which might or might not be the bind principal.
>
> Some questions came up after the recent GSS IdM test day:
>
> 1) It was requested to add a caacl rule to allow `admin' to issue a
> certificite for itself via any profile. This is straightforward,
> but what are the use cases for the `admin' account issuing
> certificates to itself?
>
> 2) When `admin' (as bind principal) requests a certificate for
> another principal and there is no CA ACL allowing issuance of a
> certificate for that principal+profile, the request is currently
> rejected. Should we change the behaviour to allow `admin' to issue
> a certificate to any principal, using any profile? (This would be
> accomplished by skipping CA ACL checks in `cert-request' when
> authenticated as admin.)
>
> (Note, if the answer to (2) is "yes", (1) is subsumed.)
>
> Cheers,
> Fraser
>
> --
> Manage your subscription for the Freeipa-devel mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-devel
> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Ping. Anyone got feels about this? Otherwise a patch will appear
implementing (2), because that is a smaller patch :)
More information about the Freeipa-devel
mailing list