[Freeipa-devel] DNs of Custodia keys

Fraser Tweedale ftweedal at redhat.com
Tue Apr 12 07:03:21 UTC 2016 

Hi Simo and Honza et al,

I have a design challenge pertaining to DNs for Custodia keys.
DNs for Custodia keys for host principals currently take the form:

    cn={sig,enc}/$HOSTNAME,cn=custodia,cn=ipa,cn=etc,$SUFFIX

This prevents the creation of Custodia keys for service principals
(pursuant to another recent design decision[1] the service principal
'dogtag-ipa-custodia/$HOSTNAME@$REALM' shall be used as a Custodia
client for Dogtag lightweight CA key replication).

[1] https://www.redhat.com/archives/freeipa-devel/2016-April/msg00044.html

Searches for custodia keys use a filter on 'ipaKeyUsage' and
'memberPrincipal' attributes, so the CN is unimportant except for
a) uniqueness, and b) ACIs (see below).

Based on this, my first attempt to resolve the conflict was to use
the service name and host name instead of the just the hostname:

    cn=sig/host/f23-5.ipa.local at IPA.LOCAL,cn=custodia,cn=ipa,cn=etc,dc=ipa,dc=local

However, this fails during replica install:

  [2/5]: Generating ipa-custodia keys
  {'info': "Insufficient 'add' privilege to add the entry
            'cn=sig/host/f23-5.ipa.local,cn=custodia,cn=ipa,cn=etc,dc=ipa,dc=local'.\n",
   'desc': 'Insufficient access'}

due to the ACI:

    dn: cn=ipa,cn=etc,$SUFFIX
    add:aci: (target = "ldap:///cn=*/($$dn),cn=custodia,cn=ipa,cn=etc,$SUFFIX")
        (version 3.0; acl "IPA server hosts can create own Custodia secrets";
        allow(add) groupdn = "ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX"
        and userdn = "ldap:///fqdn=($$dn),cn=computers,cn=accounts,$SUFFIX";)

The wildcard '*' in the target is not greedy and stops at the first
slash '/', so the value captured by the ($dn) macro does not match
the bind DN.


Proposed solution
-----------------

Use a delimiter other than '/' between the key type and service
name, e.g.

    cn={sig,enc}+$SERVICENAME/$HOSTNAME        (rule)
    cn=sig+dogtag-ipa-custodia/f23-3.ipa.local (example)

Pros: should work with existing ACIs.

Cons: continues with an arguably suboptimal design choice.


Alternative solution
--------------------

Add an 'ipaCustodiaKey' object class, which has 'managedBy'
attribute for linking the key to the host that manages it, and
'ipaUniqueId'.

Create key entries with autogenerated ipaUniqueId as RDN.

Add ACIs:

    dn: cn=ipa,cn=etc,$SUFFIX
    add:aci: (target = "ldap:///*,cn=custodia,cn=ipa,cn=etc,$SUFFIX")
        (version 3.0; acl "IPA server hosts can create own Custodia secrets";
        allow(add) groupdn = "ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX"
        and userattr = "managedby#USERDN";)
    add:aci: (target = "ldap:///*,cn=custodia,cn=ipa,cn=etc,$SUFFIX") (targetattr = "ipaPublicKey")
        (version 3.0; acl "IPA server hosts can manage own Custodia secrets";
        allow(write) groupdn = "ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX"
        and userattr = "managedby#USERDN";)

(Retain existing ACIs for backwards compatiblity.)


Let me know what you think!

Cheers,
Fraser

More information about the Freeipa-devel mailing list