[Freeipa-devel] DNs of Custodia keys

Fraser Tweedale ftweedal at redhat.com
Tue Apr 12 11:26:33 UTC 2016 

On Tue, Apr 12, 2016 at 12:55:50PM +0200, Jan Cholasta wrote:
> Hi,
> 
> On 12.4.2016 09:03, Fraser Tweedale wrote:
> >Hi Simo and Honza et al,
> >
> >I have a design challenge pertaining to DNs for Custodia keys.
> >DNs for Custodia keys for host principals currently take the form:
> >
> >     cn={sig,enc}/$HOSTNAME,cn=custodia,cn=ipa,cn=etc,$SUFFIX
> >
> >This prevents the creation of Custodia keys for service principals
> >(pursuant to another recent design decision[1] the service principal
> >'dogtag-ipa-custodia/$HOSTNAME@$REALM' shall be used as a Custodia
> >client for Dogtag lightweight CA key replication).
> 
> This naming scheme is relevant only to IPA server keys, otherwise the cn can
> be anything, as long as it does not conflict with existing keys.
> 
> >
> >[1] https://www.redhat.com/archives/freeipa-devel/2016-April/msg00044.html
> >
> >Searches for custodia keys use a filter on 'ipaKeyUsage' and
> >'memberPrincipal' attributes, so the CN is unimportant except for
> >a) uniqueness, and b) ACIs (see below).
> >
> >Based on this, my first attempt to resolve the conflict was to use
> >the service name and host name instead of the just the hostname:
> >
> >     cn=sig/host/f23-5.ipa.local at IPA.LOCAL,cn=custodia,cn=ipa,cn=etc,dc=ipa,dc=local
> >
> >However, this fails during replica install:
> >
> >   [2/5]: Generating ipa-custodia keys
> >   {'info': "Insufficient 'add' privilege to add the entry
> >             'cn=sig/host/f23-5.ipa.local,cn=custodia,cn=ipa,cn=etc,dc=ipa,dc=local'.\n",
> >    'desc': 'Insufficient access'}
> >
> >due to the ACI:
> >
> >     dn: cn=ipa,cn=etc,$SUFFIX
> >     add:aci: (target = "ldap:///cn=*/($$dn),cn=custodia,cn=ipa,cn=etc,$SUFFIX")
> >         (version 3.0; acl "IPA server hosts can create own Custodia secrets";
> >         allow(add) groupdn = "ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX"
> >         and userdn = "ldap:///fqdn=($$dn),cn=computers,cn=accounts,$SUFFIX";)
> >
> >The wildcard '*' in the target is not greedy and stops at the first
> >slash '/', so the value captured by the ($dn) macro does not match
> >the bind DN.
> 
> Again, this is relevant only to IPA server keys, you should add your own ACI
> for lightweight CAs.
> 
> >
> >
> >Proposed solution
> >-----------------
> >
> >Use a delimiter other than '/' between the key type and service
> >name, e.g.
> >
> >     cn={sig,enc}+$SERVICENAME/$HOSTNAME        (rule)
> >     cn=sig+dogtag-ipa-custodia/f23-3.ipa.local (example)
> >
> >Pros: should work with existing ACIs.
> >
> >Cons: continues with an arguably suboptimal design choice.
> >
> >
> >Alternative solution
> >--------------------
> >
> >Add an 'ipaCustodiaKey' object class, which has 'managedBy'
> >attribute for linking the key to the host that manages it, and
> >'ipaUniqueId'.
> >
> >Create key entries with autogenerated ipaUniqueId as RDN.
> >
> >Add ACIs:
> >
> >     dn: cn=ipa,cn=etc,$SUFFIX
> >     add:aci: (target = "ldap:///*,cn=custodia,cn=ipa,cn=etc,$SUFFIX")
> >         (version 3.0; acl "IPA server hosts can create own Custodia secrets";
> >         allow(add) groupdn = "ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX"
> >         and userattr = "managedby#USERDN";)
> >     add:aci: (target = "ldap:///*,cn=custodia,cn=ipa,cn=etc,$SUFFIX") (targetattr = "ipaPublicKey")
> >         (version 3.0; acl "IPA server hosts can manage own Custodia secrets";
> >         allow(write) groupdn = "ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX"
> >         and userattr = "managedby#USERDN";)
> >
> >(Retain existing ACIs for backwards compatiblity.)
> 
> Actually this has been discussed before:
> <https://www.redhat.com/archives/freeipa-devel/2015-November/msg00547.html>
> 
Thanks for the link and feedback.

Something like the following ACI should do the trick, I think?

  add:aci: (target = "ldap:///cn=*/dogtag-ipa-custodia/($$dn),cn=custodia,cn=ipa,cn=etc,$SUFFIX")
      (version 3.0; acl "IPA server hosts can manage Custodia secrets for the dogtag-ipa-custodia service on same host";
      allow(add) groupdn = "ldap:///cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX"
      and userdn = "ldap:///fqdn=($$dn),cn=computers,cn=accounts,$SUFFIX";)

Host Custodia keys would keep the existing CN schema and existing
ACLs will apply only to them.

Cheers,
Fraser

> >
> >
> >Let me know what you think!
> 
> I think that all you have to do is add a new ACI for your purposes, you
> don't need to change anything.
> 
> Honza
> 
> -- 
> Jan Cholasta

More information about the Freeipa-devel mailing list