On Fri, Jul 03, 2015 at 10:53:54AM -0400, Simo Sorce wrote: > On Sat, 2015-07-04 at 00:32 +1000, Fraser Tweedale wrote: > > On Wed, Jul 01, 2015 at 04:06:11PM +1000, Fraser Tweedale wrote: > > > Hi everyone, > > > > > > With the addition of CA ACLs, there are now two levels of > > > permissions checked by the `cert-request' command: > > > > > > - LDAP permission checks. This check is performed against the bind > > > principal; `admin' has permission to write the userCertificate > > > attribute of any principal. > > > > > > - CA ACLs: whether issuing a certificate to a particular principal > > > using a particular profile is permitted. This check is performed > > > against the principal for whom the certificate is being requested, > > > which might or might not be the bind principal. > > > > > > Some questions came up after the recent GSS IdM test day: > > > > > > 1) It was requested to add a caacl rule to allow `admin' to issue a > > > certificite for itself via any profile. This is straightforward, > > > but what are the use cases for the `admin' account issuing > > > certificates to itself? > > > > > > 2) When `admin' (as bind principal) requests a certificate for > > > another principal and there is no CA ACL allowing issuance of a > > > certificate for that principal+profile, the request is currently > > > rejected. Should we change the behaviour to allow `admin' to issue > > > a certificate to any principal, using any profile? (This would be > > > accomplished by skipping CA ACL checks in `cert-request' when > > > authenticated as admin.) > > > > > > (Note, if the answer to (2) is "yes", (1) is subsumed.) > > There should be a group (of which admin will be part of by default) that > can do this. It is needed to be able to provide certificates to hosts > that respond to multiple names, wildcard names and so on. > > So, yes. > > Simo. > Thanks; good idea. I filed a ticket: https://fedorahosted.org/freeipa/ticket/5099
> > > > Cheers, > > > Fraser > > > > > > -- > > > Manage your subscription for the Freeipa-devel mailing list: > > > https://www.redhat.com/mailman/listinfo/freeipa-devel > > > Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code > > > > Ping. Anyone got feels about this? Otherwise a patch will appear > > implementing (2), because that is a smaller patch :) > > > > > -- > Simo Sorce * Red Hat, Inc * New York > -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code