[Freeipa-devel] CA ACL enforcement when authenticated as root
Fraser Tweedale
ftweedal at redhat.com
Mon Jul 6 09:47:21 UTC 2015
On Fri, Jul 03, 2015 at 10:53:54AM -0400, Simo Sorce wrote:
> On Sat, 2015-07-04 at 00:32 +1000, Fraser Tweedale wrote:
> > On Wed, Jul 01, 2015 at 04:06:11PM +1000, Fraser Tweedale wrote:
> > > Hi everyone,
> > >
> > > With the addition of CA ACLs, there are now two levels of
> > > permissions checked by the `cert-request' command:
> > >
> > > - LDAP permission checks. This check is performed against the bind
> > > principal; `admin' has permission to write the userCertificate
> > > attribute of any principal.
> > >
> > > - CA ACLs: whether issuing a certificate to a particular principal
> > > using a particular profile is permitted. This check is performed
> > > against the principal for whom the certificate is being requested,
> > > which might or might not be the bind principal.
> > >
> > > Some questions came up after the recent GSS IdM test day:
> > >
> > > 1) It was requested to add a caacl rule to allow `admin' to issue a
> > > certificite for itself via any profile. This is straightforward,
> > > but what are the use cases for the `admin' account issuing
> > > certificates to itself?
> > >
> > > 2) When `admin' (as bind principal) requests a certificate for
> > > another principal and there is no CA ACL allowing issuance of a
> > > certificate for that principal+profile, the request is currently
> > > rejected. Should we change the behaviour to allow `admin' to issue
> > > a certificate to any principal, using any profile? (This would be
> > > accomplished by skipping CA ACL checks in `cert-request' when
> > > authenticated as admin.)
> > >
> > > (Note, if the answer to (2) is "yes", (1) is subsumed.)
>
> There should be a group (of which admin will be part of by default) that
> can do this. It is needed to be able to provide certificates to hosts
> that respond to multiple names, wildcard names and so on.
>
> So, yes.
>
> Simo.
>
Thanks; good idea. I filed a ticket:
https://fedorahosted.org/freeipa/ticket/5099
>
> > > Cheers,
> > > Fraser
> > >
> > > --
> > > Manage your subscription for the Freeipa-devel mailing list:
> > > https://www.redhat.com/mailman/listinfo/freeipa-devel
> > > Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
> >
> > Ping. Anyone got feels about this? Otherwise a patch will appear
> > implementing (2), because that is a smaller patch :)
> >
>
>
> --
> Simo Sorce * Red Hat, Inc * New York
>
More information about the Freeipa-devel
mailing list