On 12/24/19 2:53 PM, Michael Plemmons via FreeIPA-users wrote:
We have a need where we want to allow a user to submit their own CSR to
generate their own SSL certificate and to be able to download their own
certificate.
I get the following error:
Insufficient access: Principal '[email protected]
<mailto:[email protected]>' is not permitted to use CA 'ipa'
with profile 'IECUserRoles' for certificate issuance.
Hi,
please have a look in the documentation at the chapter related to
Certificate Autority ACL rules:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/ca-acls
CA ACLs define which certificate profile can be used to issue
certificates to which users/services/hosts.
HTH,
flo
Here are the permissions I have setup.
* Create a new Privilege called SelfService
* Add the following permissions to the SelfService Privilege
* Request Certificate (FreeIPA builtin permission)
* Retrieve Certificates from the CA (FreeIPA builtin permission)
* UserSelfSerivceCertificate (custom permission)
* ReadCAProfile (custom permission)
* ReadIPACA (custom permission)
* Create Role called SelfService
* Attach the SelfService Privilege to this Role
* I then attach that Role to a test user.
I am sure I am missing other permissions but I am not sure what. If
there is already documentation that explains how to do this I am happy
to reference that. If not, what else am I missing.
============
dn:
cn=UserSelfSerivceCertificate,cn=permissions,cn=pbac,dc=mgmt,dc=example,dc=com
member: cn=SelfService,cn=privileges,cn=pbac,dc=mgmt,dc=example,dc=com
ipaPermRight: read
ipaPermRight: search
ipaPermRight: compare
ipaPermRight: write
ipaPermRight: add
ipaPermTargetFilter: (objectclass=posixaccount)
ipaPermBindRuleType: permission
ipaPermissionType: SYSTEM
ipaPermissionType: V2
cn: UserSelfSerivceCertificate
objectClass: top
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
ipaPermLocation: cn=users,cn=accounts,dc=mgmt,dc=example,dc=com
ipaPermIncludedAttr: usercertificate
============
dn: cn=ReadCAProfile,cn=permissions,cn=pbac,dc=mgmt,dc=example,dc=com
member: cn=SelfService,cn=privileges,cn=pbac,dc=mgmt,dc=example,dc=com
ipaPermBindRuleType: permission
ipaPermTarget:
cn=IECUserRoles,cn=certprofiles,cn=ca,dc=mgmt,dc=example,dc=co
m
ipaPermRight: read
ipaPermRight: search
ipaPermTargetFilter: (objectclass=ipacertprofile)
ipaPermissionType: SYSTEM
ipaPermissionType: V2
cn: ReadCAProfile
objectClass: top
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
ipaPermLocation: cn=certprofiles,cn=ca,dc=mgmt,dc=example,dc=com
ipaPermIncludedAttr: cn
ipaPermIncludedAttr: description
ipaPermIncludedAttr: ipacertprofilestoreissued
ipaPermIncludedAttr: objectclass
============
dn: cn=ReadIPACA,cn=permissions,cn=pbac,dc=mgmt,dc=example,dc=com
member: cn=SelfService,cn=privileges,cn=pbac,dc=mgmt,dc=example,dc=com
ipaPermTarget: cn=ipa,cn=cas,cn=ca,dc=mgmt,dc=example,dc=com
ipaPermRight: read
ipaPermRight: search
ipaPermRight: compare
ipaPermTargetFilter: (objectclass=ipaca)
ipaPermBindRuleType: permission
ipaPermissionType: SYSTEM
ipaPermissionType: V2
cn: ReadIPACA
objectClass: top
objectClass: groupofnames
objectClass: ipapermission
objectClass: ipapermissionv2
ipaPermLocation: cn=cas,cn=ca,dc=mgmt,dc=example,dc=com
ipaPermIncludedAttr: cn
ipaPermIncludedAttr: description
ipaPermIncludedAttr: ipacaid
ipaPermIncludedAttr: ipacaissuerdn
ipaPermIncludedAttr: ipacasubjectdn
ipaPermIncludedAttr: objectclass
Thank you for any insight you are able to provide.
--
*Mike Plemmons *
Senior Infrastructure Engineer
614-427-2411
<https://oliveai.com/>
99 E. Main Street
Columbus, OH 43215
oliveai.com <http://oliveai.com/>
Meet Olive, Your Newest Employee <https://youtu.be/9Vf84z9KA6Y>
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
