We have a need where we want to allow a user to submit their own CSR to generate their own SSL certificate and to be able to download their own certificate.
I get the following error: Insufficient access: Principal '[email protected]' is not permitted to use CA 'ipa' with profile 'IECUserRoles' for certificate issuance. Here are the permissions I have setup. * Create a new Privilege called SelfService * Add the following permissions to the SelfService Privilege * Request Certificate (FreeIPA builtin permission) * Retrieve Certificates from the CA (FreeIPA builtin permission) * UserSelfSerivceCertificate (custom permission) * ReadCAProfile (custom permission) * ReadIPACA (custom permission) * Create Role called SelfService * Attach the SelfService Privilege to this Role * I then attach that Role to a test user. I am sure I am missing other permissions but I am not sure what. If there is already documentation that explains how to do this I am happy to reference that. If not, what else am I missing. ============ dn: cn=UserSelfSerivceCertificate,cn=permissions,cn=pbac,dc=mgmt,dc=example,dc=com member: cn=SelfService,cn=privileges,cn=pbac,dc=mgmt,dc=example,dc=com ipaPermRight: read ipaPermRight: search ipaPermRight: compare ipaPermRight: write ipaPermRight: add ipaPermTargetFilter: (objectclass=posixaccount) ipaPermBindRuleType: permission ipaPermissionType: SYSTEM ipaPermissionType: V2 cn: UserSelfSerivceCertificate objectClass: top objectClass: groupofnames objectClass: ipapermission objectClass: ipapermissionv2 ipaPermLocation: cn=users,cn=accounts,dc=mgmt,dc=example,dc=com ipaPermIncludedAttr: usercertificate ============ dn: cn=ReadCAProfile,cn=permissions,cn=pbac,dc=mgmt,dc=example,dc=com member: cn=SelfService,cn=privileges,cn=pbac,dc=mgmt,dc=example,dc=com ipaPermBindRuleType: permission ipaPermTarget: cn=IECUserRoles,cn=certprofiles,cn=ca,dc=mgmt,dc=example,dc=co m ipaPermRight: read ipaPermRight: search ipaPermTargetFilter: (objectclass=ipacertprofile) ipaPermissionType: SYSTEM ipaPermissionType: V2 cn: ReadCAProfile objectClass: top objectClass: groupofnames objectClass: ipapermission objectClass: ipapermissionv2 ipaPermLocation: cn=certprofiles,cn=ca,dc=mgmt,dc=example,dc=com ipaPermIncludedAttr: cn ipaPermIncludedAttr: description ipaPermIncludedAttr: ipacertprofilestoreissued ipaPermIncludedAttr: objectclass ============ dn: cn=ReadIPACA,cn=permissions,cn=pbac,dc=mgmt,dc=example,dc=com member: cn=SelfService,cn=privileges,cn=pbac,dc=mgmt,dc=example,dc=com ipaPermTarget: cn=ipa,cn=cas,cn=ca,dc=mgmt,dc=example,dc=com ipaPermRight: read ipaPermRight: search ipaPermRight: compare ipaPermTargetFilter: (objectclass=ipaca) ipaPermBindRuleType: permission ipaPermissionType: SYSTEM ipaPermissionType: V2 cn: ReadIPACA objectClass: top objectClass: groupofnames objectClass: ipapermission objectClass: ipapermissionv2 ipaPermLocation: cn=cas,cn=ca,dc=mgmt,dc=example,dc=com ipaPermIncludedAttr: cn ipaPermIncludedAttr: description ipaPermIncludedAttr: ipacaid ipaPermIncludedAttr: ipacaissuerdn ipaPermIncludedAttr: ipacasubjectdn ipaPermIncludedAttr: objectclass Thank you for any insight you are able to provide. -- *Mike Plemmons * Senior Infrastructure Engineer 614-427-2411 <https://oliveai.com/> 99 E. Main Street Columbus, OH 43215 oliveai.com Meet Olive, Your Newest Employee <https://youtu.be/9Vf84z9KA6Y>
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
