Flo, Thank you for the help. That is exactly what I needed. I was able to successfully setup an ACL.
On Fri, Dec 27, 2019 at 12:22 PM Florence Blanc-Renaud <[email protected]> wrote: > On 12/24/19 2:53 PM, Michael Plemmons via FreeIPA-users wrote: > > We have a need where we want to allow a user to submit their own CSR to > > generate their own SSL certificate and to be able to download their own > > certificate. > > > > I get the following error: > > > > Insufficient access: Principal '[email protected] > > <mailto:[email protected]>' is not permitted to use CA 'ipa' > > with profile 'IECUserRoles' for certificate issuance. > > > > Hi, > > please have a look in the documentation at the chapter related to > Certificate Autority ACL rules: > > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/ca-acls > > CA ACLs define which certificate profile can be used to issue > certificates to which users/services/hosts. > > HTH, > flo > > > Here are the permissions I have setup. > > > > * Create a new Privilege called SelfService > > > > * Add the following permissions to the SelfService Privilege > > * Request Certificate (FreeIPA builtin permission) > > * Retrieve Certificates from the CA (FreeIPA builtin permission) > > * UserSelfSerivceCertificate (custom permission) > > * ReadCAProfile (custom permission) > > * ReadIPACA (custom permission) > > > > * Create Role called SelfService > > * Attach the SelfService Privilege to this Role > > > > * I then attach that Role to a test user. > > > > I am sure I am missing other permissions but I am not sure what. If > > there is already documentation that explains how to do this I am happy > > to reference that. If not, what else am I missing. > > > > ============ > > > > dn: > > > cn=UserSelfSerivceCertificate,cn=permissions,cn=pbac,dc=mgmt,dc=example,dc=com > > member: cn=SelfService,cn=privileges,cn=pbac,dc=mgmt,dc=example,dc=com > > ipaPermRight: read > > ipaPermRight: search > > ipaPermRight: compare > > ipaPermRight: write > > ipaPermRight: add > > ipaPermTargetFilter: (objectclass=posixaccount) > > ipaPermBindRuleType: permission > > ipaPermissionType: SYSTEM > > ipaPermissionType: V2 > > cn: UserSelfSerivceCertificate > > objectClass: top > > objectClass: groupofnames > > objectClass: ipapermission > > objectClass: ipapermissionv2 > > ipaPermLocation: cn=users,cn=accounts,dc=mgmt,dc=example,dc=com > > ipaPermIncludedAttr: usercertificate > > > > ============ > > dn: cn=ReadCAProfile,cn=permissions,cn=pbac,dc=mgmt,dc=example,dc=com > > member: cn=SelfService,cn=privileges,cn=pbac,dc=mgmt,dc=example,dc=com > > ipaPermBindRuleType: permission > > ipaPermTarget: > > cn=IECUserRoles,cn=certprofiles,cn=ca,dc=mgmt,dc=example,dc=co > > m > > ipaPermRight: read > > ipaPermRight: search > > ipaPermTargetFilter: (objectclass=ipacertprofile) > > ipaPermissionType: SYSTEM > > ipaPermissionType: V2 > > cn: ReadCAProfile > > objectClass: top > > objectClass: groupofnames > > objectClass: ipapermission > > objectClass: ipapermissionv2 > > ipaPermLocation: cn=certprofiles,cn=ca,dc=mgmt,dc=example,dc=com > > ipaPermIncludedAttr: cn > > ipaPermIncludedAttr: description > > ipaPermIncludedAttr: ipacertprofilestoreissued > > ipaPermIncludedAttr: objectclass > > > > ============ > > > > dn: cn=ReadIPACA,cn=permissions,cn=pbac,dc=mgmt,dc=example,dc=com > > member: cn=SelfService,cn=privileges,cn=pbac,dc=mgmt,dc=example,dc=com > > ipaPermTarget: cn=ipa,cn=cas,cn=ca,dc=mgmt,dc=example,dc=com > > ipaPermRight: read > > ipaPermRight: search > > ipaPermRight: compare > > ipaPermTargetFilter: (objectclass=ipaca) > > ipaPermBindRuleType: permission > > ipaPermissionType: SYSTEM > > ipaPermissionType: V2 > > cn: ReadIPACA > > objectClass: top > > objectClass: groupofnames > > objectClass: ipapermission > > objectClass: ipapermissionv2 > > ipaPermLocation: cn=cas,cn=ca,dc=mgmt,dc=example,dc=com > > ipaPermIncludedAttr: cn > > ipaPermIncludedAttr: description > > ipaPermIncludedAttr: ipacaid > > ipaPermIncludedAttr: ipacaissuerdn > > ipaPermIncludedAttr: ipacasubjectdn > > ipaPermIncludedAttr: objectclass > > > > > > Thank you for any insight you are able to provide. > > > > -- > > *Mike Plemmons * > > Senior Infrastructure Engineer > > 614-427-2411 > > > > > > <https://oliveai.com/> > > 99 E. Main Street > > Columbus, OH 43215 > > oliveai.com <http://oliveai.com/> > > Meet Olive, Your Newest Employee <https://youtu.be/9Vf84z9KA6Y> > > > > _______________________________________________ > > FreeIPA-users mailing list -- [email protected] > > To unsubscribe send an email to > [email protected] > > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > > > > -- *Mike Plemmons * Senior Infrastructure Engineer 614-427-2411 <https://oliveai.com/> 99 E. Main Street Columbus, OH 43215 oliveai.com Meet Olive, Your Newest Employee <https://youtu.be/9Vf84z9KA6Y>
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
