[Freeipa-devel] DNs of Custodia keys
Petr Spacek
pspacek at redhat.com
Tue Apr 12 08:14:18 UTC 2016
On 12.4.2016 09:03, Fraser Tweedale wrote:
> Hi Simo and Honza et al,
>
> I have a design challenge pertaining to DNs for Custodia keys.
> DNs for Custodia keys for host principals currently take the form:
>
> cn={sig,enc}/$HOSTNAME,cn=custodia,cn=ipa,cn=etc,$SUFFIX
>
> This prevents the creation of Custodia keys for service principals
> (pursuant to another recent design decision[1] the service principal
> 'dogtag-ipa-custodia/$HOSTNAME@$REALM' shall be used as a Custodia
> client for Dogtag lightweight CA key replication).
>
> [1] https://www.redhat.com/archives/freeipa-devel/2016-April/msg00044.html
>
> Searches for custodia keys use a filter on 'ipaKeyUsage' and
> 'memberPrincipal' attributes, so the CN is unimportant except for
> a) uniqueness, and b) ACIs (see below).
>
> Based on this, my first attempt to resolve the conflict was to use
> the service name and host name instead of the just the hostname:
>
> cn=sig/host/f23-5.ipa.local at IPA.LOCAL,cn=custodia,cn=ipa,cn=etc,dc=ipa,dc=local
>
> However, this fails during replica install:
>
> [2/5]: Generating ipa-custodia keys
> {'info': "Insufficient 'add' privilege to add the entry
> 'cn=sig/host/f23-5.ipa.local,cn=custodia,cn=ipa,cn=etc,dc=ipa,dc=local'.\n",
> 'desc': 'Insufficient access'}
>
> due to the ACI:
>
> dn: cn=ipa,cn=etc,$SUFFIX
> add:aci: (target = "ldap:///cn=*/($$dn),cn=custodia,cn=ipa,cn=etc,$SUFFIX")
> (version 3.0; acl "IPA server hosts can create own Custodia secrets";
> allow(add) groupdn = "ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX"
> and userdn = "ldap:///fqdn=($$dn),cn=computers,cn=accounts,$SUFFIX";)
>
> The wildcard '*' in the target is not greedy and stops at the first
> slash '/', so the value captured by the ($dn) macro does not match
> the bind DN.
The question is if the * behaves as expected. CCing Ludwig ...
Petr^2 Spacek
>
>
> Proposed solution
> -----------------
>
> Use a delimiter other than '/' between the key type and service
> name, e.g.
>
> cn={sig,enc}+$SERVICENAME/$HOSTNAME (rule)
> cn=sig+dogtag-ipa-custodia/f23-3.ipa.local (example)
>
> Pros: should work with existing ACIs.
>
> Cons: continues with an arguably suboptimal design choice.
>
>
> Alternative solution
> --------------------
>
> Add an 'ipaCustodiaKey' object class, which has 'managedBy'
> attribute for linking the key to the host that manages it, and
> 'ipaUniqueId'.
>
> Create key entries with autogenerated ipaUniqueId as RDN.
>
> Add ACIs:
>
> dn: cn=ipa,cn=etc,$SUFFIX
> add:aci: (target = "ldap:///*,cn=custodia,cn=ipa,cn=etc,$SUFFIX")
> (version 3.0; acl "IPA server hosts can create own Custodia secrets";
> allow(add) groupdn = "ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX"
> and userattr = "managedby#USERDN";)
> add:aci: (target = "ldap:///*,cn=custodia,cn=ipa,cn=etc,$SUFFIX") (targetattr = "ipaPublicKey")
> (version 3.0; acl "IPA server hosts can manage own Custodia secrets";
> allow(write) groupdn = "ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX"
> and userattr = "managedby#USERDN";)
>
> (Retain existing ACIs for backwards compatiblity.)
>
>
> Let me know what you think!
>
> Cheers,
> Fraser
>
--
Petr^2 Spacek
More information about the Freeipa-devel
mailing list