On Wed, Jul 01, 2015 at 04:06:11PM +1000, Fraser Tweedale wrote: > Hi everyone, > > With the addition of CA ACLs, there are now two levels of > permissions checked by the `cert-request' command: > > - LDAP permission checks. This check is performed against the bind > principal; `admin' has permission to write the userCertificate > attribute of any principal. > > - CA ACLs: whether issuing a certificate to a particular principal > using a particular profile is permitted. This check is performed > against the principal for whom the certificate is being requested, > which might or might not be the bind principal. > > Some questions came up after the recent GSS IdM test day: > > 1) It was requested to add a caacl rule to allow `admin' to issue a > certificite for itself via any profile. This is straightforward, > but what are the use cases for the `admin' account issuing > certificates to itself? > > 2) When `admin' (as bind principal) requests a certificate for > another principal and there is no CA ACL allowing issuance of a > certificate for that principal+profile, the request is currently > rejected. Should we change the behaviour to allow `admin' to issue > a certificate to any principal, using any profile? (This would be > accomplished by skipping CA ACL checks in `cert-request' when > authenticated as admin.) > > (Note, if the answer to (2) is "yes", (1) is subsumed.) > > Cheers, > Fraser > > -- > Manage your subscription for the Freeipa-devel mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-devel > Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Ping. Anyone got feels about this? Otherwise a patch will appear implementing (2), because that is a smaller patch :) -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code