Thanks for the really in depth replies, Alexander & Robert! On Fri, May 13, 2022 at 09:27:34PM +0300, Alexander Bokovoy wrote: > On pe, 13 touko 2022, Sam Morris via FreeIPA-users wrote: > > I'm looking into using <https://github.com/guilhem/freeipa-issuer> to > > request certificates from FreeIPA on behalf of a (FreeIPA) service. > > > > The project authenticates to the FreeIPA API with a specified username > > and password: > > <https://github.com/guilhem/freeipa-issuer/blob/174d145616a672b09d3fdb56b2dd7c93612e483e/provisionners/freeipa.go#L38> > > > > I presume this means that it's only possible for it to authenticate to > > the FreeIPA API as a user, as opposed to a host or service. > > Not correct. You can authenticate with any Kerberos principal. Your > rights would be limited to what that object is allowed to do and this > can be adjusted with permissions/privileges/roles: > https://vda.li/en/posts/2016/08/30/Creating-permissions-in-FreeIPA/
Ah, right. I didn't explain what I meant very well. Sorry about that. What I meant is freeipa-issuer is only able to authenticate to the FreeIPA API using a username & password. And I thought at the time that that means that freeipa-issuer can only authenticate as a user and not a host or a service. Since then I've done a bit more experimentation and have come up with this procedure: $ ipa host-add authtest.example.qq --random <the host how exists, but it doesn't have a Kerberos principal associated with it yet; therefore the password can't be used to obtain a Kerberos TGT, so it can't be used with the FreeIPA API> $ ipa service-add HTTP/authtest.example.qq $ ipa-join -h authtest.example.qq -w <one-time-password> -k /tmp/authtext.keytab -b dc=example,dc=qq <the host now has a Kerberos principal associated with it, but with a randomly generated key instead of one derived from a password> $ openssl rand -base64 $((128/8)) <generate a password with 128 bits of entropy> $ ldappasswd -H ldaps://ipa0.example.qq -Y GSSAPI fqdn=authtest.example.qq,cn=computers,cn=accounts,dc=example,dc=qq -s <new password> <set the host's password to the new password> $ http -f https://ipa0.example.qq/ipa/session/login_password user=host/authtest.example.qq 'password=<new password>' <log in to the FreeIPA API as the host, using the new password> This gets me a 200 OK response, so it looks like we're good to go! Next steps will be to configure freeipa-issuer with these credentials and see if it's able to request a certificate for HTTP/authtest.example.qq. Of course it would definitely be better if freeipa-issuer was able to use Kerberos to authenticate to the FreeIPA API. Maybe I'll give that a go too... -- Sam Morris <https://robots.org.uk/> CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9 _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure