[Freeipa-users] Certmonger (or similar) for FreeBSD?
Alexander Bokovoy
abokovoy at redhat.com
Tue Oct 25 10:24:19 UTC 2016
On ti, 25 loka 2016, Rob Crittenden wrote:
>David Kupka wrote:
>>On 24/10/16 19:26, Gilbert Wilson wrote:
>>>
>>>>On Oct 24, 2016, at 5:51 AM, David Kupka <dkupka at redhat.com> wrote:
>>>>
>>>>On 22/10/16 00:15, Gilbert Wilson wrote:
>>>>>We have a lot of FreeBSD systems that I would like to streamline
>>>>>certificate issuance and renewal. Ideally, we could leverage our
>>>>>FreeIPA system's CA to do this. But, certmonger doesn't run on
>>>>>FreeBSD (or does it?). What other means have other people tried, or
>>>>>would you recommend investigating, to enable automated certificate
>>>>>issuance and renewal for FreeBSD FreeIPA clients?
>>>>>
>>>>>Any pointers are appreciated!
>>>>>
>>>>>Gil
>>>>>
>>>>
>>>>Hello Gil!
>>>>
>>>>I've very limited experiences with *BSD systems so the question may
>>>>be completely off.
>>>>Have you tried to install and run certmonger using FreeBSD's Linux
>>>>Binary Compatibility [1]? Though I don't know what are the
>>>>limitations or possible issues it could be a way.
>>>>
>>>>[1] http://www.freebsd.cz/doc/handbook/linuxemu.html
>>>>
>>>>--
>>>>David Kupka
>>>
>>>
>>>You know… I haven’t ever tried LBC! I suppose it’s worth a sacrificial
>>>virtual machine to see if it works. It also occurred to me that
>>>FreeIPA might have some sort of API given the web interface, and sure
>>>enough that made the Google-fu turn up more useful results.
>>>
>>>*
>>>https://vda.li/en/posts/2015/05/28/talking-to-freeipa-api-with-sessions/
>>>*
>>>https://adam.younglogic.com/2010/07/talking-to-freeipa-json-web-api-via-curl/
>>>
>>>*
>>>http://www.admin-magazine.com/Archive/2016/34/A-REST-interface-for-FreeIPA
>>>
>>>
>>>There doesn’t appear to be a manual for the API but those examples
>>>seem to “show the way”. My initial thought is to create a script that
>>>uses kinit with a keytab to authenticate against FreeIPA and then
>>>create/renew permissible certificates for the system before they
>>>expire. This seems reasonable since the certificate creation/renewal
>>>is the scope of what I’m interested in doing. Do you see any reason
>>>not to do it this way or have any other alternative suggestions?
>>>Another way to think about it, perhaps, is what would you do on a
>>>Linux system if you didn’t have access to the FreeIPA client or
>>>certmonger?
>>>
>>>Thanks for the pointer/reminder about LBC!
>>>
>>>Gil
>>>
>>>
>>>
>>
>>You're right, FreeIPA has JSON RPC API. It's used in WebUI and also in
>>'ipa' CLI. If you've FreeIPA server 4.2 and above there's API Browser in
>>WebUI (IPA Server - API Browser). There you can find all commands and
>>their parameters.
>>Just obligatory disclaimer, talking directly to the API is not
>>officially supported. This means that the API can change in future
>>versions.
>>
>>Good luck!
>
>And this is sort of reinventing the wheel. certmonger uses the API already.
>
>Have you tried building certmonger on BSD? It should be pretty
>portable C code, it just might require installing additional
>dependencies like libcurl (with GSSAPI support) and probably a few
>others.
There are some more involved dependencies which would require porting
the code to use *BSD-provided options -- netlink interface is
Linux-specific dependency that may be harder to avoid and would require
a separate implementation as certmonger depends on the ability to look
at the networking interface changes.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list