Re: [Freeipa-devel] CA ACL enforcement when authenticated as root
On Sat, 2015-07-04 at 00:32 +1000, Fraser Tweedale wrote: On Wed, Jul 01, 2015 at 04:06:11PM +1000, Fraser Tweedale wrote: Hi everyone, With the addition of CA ACLs, there are now two levels of permissions checked by the `cert-request' command: - LDAP permission checks. This check is performed against the bind principal; `admin' has permission to write the userCertificate attribute of any principal. - CA ACLs: whether issuing a certificate to a particular principal using a particular profile is permitted. This check is performed against the principal for whom the certificate is being requested, which might or might not be the bind principal. Some questions came up after the recent GSS IdM test day: 1) It was requested to add a caacl rule to allow `admin' to issue a certificite for itself via any profile. This is straightforward, but what are the use cases for the `admin' account issuing certificates to itself? 2) When `admin' (as bind principal) requests a certificate for another principal and there is no CA ACL allowing issuance of a certificate for that principal+profile, the request is currently rejected. Should we change the behaviour to allow `admin' to issue a certificate to any principal, using any profile? (This would be accomplished by skipping CA ACL checks in `cert-request' when authenticated as admin.) (Note, if the answer to (2) is yes, (1) is subsumed.) There should be a group (of which admin will be part of by default) that can do this. It is needed to be able to provide certificates to hosts that respond to multiple names, wildcard names and so on. So, yes. Simo. Cheers, Fraser -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code Ping. Anyone got feels about this? Otherwise a patch will appear implementing (2), because that is a smaller patch :) -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] CA ACL enforcement when authenticated as root
On Wed, Jul 01, 2015 at 04:06:11PM +1000, Fraser Tweedale wrote: Hi everyone, With the addition of CA ACLs, there are now two levels of permissions checked by the `cert-request' command: - LDAP permission checks. This check is performed against the bind principal; `admin' has permission to write the userCertificate attribute of any principal. - CA ACLs: whether issuing a certificate to a particular principal using a particular profile is permitted. This check is performed against the principal for whom the certificate is being requested, which might or might not be the bind principal. Some questions came up after the recent GSS IdM test day: 1) It was requested to add a caacl rule to allow `admin' to issue a certificite for itself via any profile. This is straightforward, but what are the use cases for the `admin' account issuing certificates to itself? 2) When `admin' (as bind principal) requests a certificate for another principal and there is no CA ACL allowing issuance of a certificate for that principal+profile, the request is currently rejected. Should we change the behaviour to allow `admin' to issue a certificate to any principal, using any profile? (This would be accomplished by skipping CA ACL checks in `cert-request' when authenticated as admin.) (Note, if the answer to (2) is yes, (1) is subsumed.) Cheers, Fraser -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code Ping. Anyone got feels about this? Otherwise a patch will appear implementing (2), because that is a smaller patch :) -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] CA ACL enforcement when authenticated as root
Hi everyone, With the addition of CA ACLs, there are now two levels of permissions checked by the `cert-request' command: - LDAP permission checks. This check is performed against the bind principal; `admin' has permission to write the userCertificate attribute of any principal. - CA ACLs: whether issuing a certificate to a particular principal using a particular profile is permitted. This check is performed against the principal for whom the certificate is being requested, which might or might not be the bind principal. Some questions came up after the recent GSS IdM test day: 1) It was requested to add a caacl rule to allow `admin' to issue a certificite for itself via any profile. This is straightforward, but what are the use cases for the `admin' account issuing certificates to itself? 2) When `admin' (as bind principal) requests a certificate for another principal and there is no CA ACL allowing issuance of a certificate for that principal+profile, the request is currently rejected. Should we change the behaviour to allow `admin' to issue a certificate to any principal, using any profile? (This would be accomplished by skipping CA ACL checks in `cert-request' when authenticated as admin.) (Note, if the answer to (2) is yes, (1) is subsumed.) Cheers, Fraser -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
