Thanks for the really in depth replies, Alexander & Robert!
On Fri, May 13, 2022 at 09:27:34PM +0300, Alexander Bokovoy wrote:
> On pe, 13 touko 2022, Sam Morris via FreeIPA-users wrote:
> > I'm looking into using <https://github.com/guilhem/freeipa-issuer> to
> > request certificates from FreeIPA on behalf of a (FreeIPA) service.
> >
> > The project authenticates to the FreeIPA API with a specified username
> > and password:
> > <https://github.com/guilhem/freeipa-issuer/blob/174d145616a672b09d3fdb56b2dd7c93612e483e/provisionners/freeipa.go#L38>
> >
> > I presume this means that it's only possible for it to authenticate to
> > the FreeIPA API as a user, as opposed to a host or service.
>
> Not correct. You can authenticate with any Kerberos principal. Your
> rights would be limited to what that object is allowed to do and this
> can be adjusted with permissions/privileges/roles:
> https://vda.li/en/posts/2016/08/30/Creating-permissions-in-FreeIPA/
Ah, right. I didn't explain what I meant very well. Sorry about that.
What I meant is freeipa-issuer is only able to authenticate to the
FreeIPA API using a username & password. And I thought at the time that
that means that freeipa-issuer can only authenticate as a user and not a
host or a service.
Since then I've done a bit more experimentation and have come up with
this procedure:
$ ipa host-add authtest.example.qq --random
<the host how exists, but it doesn't have a Kerberos principal
associated with it yet; therefore the password can't be used to
obtain a Kerberos TGT, so it can't be used with the FreeIPA API>
$ ipa service-add HTTP/authtest.example.qq
$ ipa-join -h authtest.example.qq -w <one-time-password> -k
/tmp/authtext.keytab -b dc=example,dc=qq
<the host now has a Kerberos principal associated with it, but with
a randomly generated key instead of one derived from a password>
$ openssl rand -base64 $((128/8))
<generate a password with 128 bits of entropy>
$ ldappasswd -H ldaps://ipa0.example.qq -Y GSSAPI
fqdn=authtest.example.qq,cn=computers,cn=accounts,dc=example,dc=qq -s <new
password>
<set the host's password to the new password>
$ http -f https://ipa0.example.qq/ipa/session/login_password
user=host/authtest.example.qq 'password=<new password>'
<log in to the FreeIPA API as the host, using the new password>
This gets me a 200 OK response, so it looks like we're good to go! Next
steps will be to configure freeipa-issuer with these credentials and see
if it's able to request a certificate for HTTP/authtest.example.qq.
Of course it would definitely be better if freeipa-issuer was able to
use Kerberos to authenticate to the FreeIPA API. Maybe I'll give that a
go too...
--
Sam Morris <https://robots.org.uk/>
CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
