[Freeipa-devel] CA ACL enforcement when authenticated as root

Simo Sorce simo at redhat.com
Fri Jul 3 14:53:54 UTC 2015


On Sat, 2015-07-04 at 00:32 +1000, Fraser Tweedale wrote:
> On Wed, Jul 01, 2015 at 04:06:11PM +1000, Fraser Tweedale wrote:
> > Hi everyone,
> > 
> > With the addition of CA ACLs, there are now two levels of
> > permissions checked by the `cert-request' command:
> > 
> > - LDAP permission checks.  This check is performed against the bind
> >   principal; `admin' has permission to write the userCertificate
> >   attribute of any principal.
> > 
> > - CA ACLs: whether issuing a certificate to a particular principal
> >   using a particular profile is permitted.  This check is performed
> >   against the principal for whom the certificate is being requested,
> >   which might or might not be the bind principal.
> > 
> > Some questions came up after the recent GSS IdM test day:
> > 
> > 1) It was requested to add a caacl rule to allow `admin' to issue a
> > certificite for itself via any profile.  This is straightforward,
> > but what are the use cases for the `admin' account issuing
> > certificates to itself?
> > 
> > 2) When `admin' (as bind principal) requests a certificate for
> > another principal and there is no CA ACL allowing issuance of a
> > certificate for that principal+profile, the request is currently
> > rejected.  Should we change the behaviour to allow `admin' to issue
> > a certificate to any principal, using any profile?  (This would be
> > accomplished by skipping CA ACL checks in `cert-request' when
> > authenticated as admin.)
> > 
> > (Note, if the answer to (2) is "yes", (1) is subsumed.)

There should be a group (of which admin will be part of by default) that
can do this. It is needed to be able to provide certificates to hosts
that respond to multiple names, wildcard names and so on.

So, yes.

Simo.


> > Cheers,
> > Fraser
> > 
> > -- 
> > Manage your subscription for the Freeipa-devel mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-devel
> > Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
> 
> Ping.  Anyone got feels about this?  Otherwise a patch will appear
> implementing (2), because that is a smaller patch :)
> 


-- 
Simo Sorce * Red Hat, Inc * New York




More information about the Freeipa-devel mailing list