On to, 03 helmi 2022, Pedro Bezunartea Lopez via FreeIPA-users wrote:
Hi! This is our currently working setup: - AD Domain: ourdomain.local (working fine for Windows users' authentication, Domain Controllers, etc...) - IPA Domain: idm.ourdomain.local (Trust relation successfully setup with the Domain Controllers) - AD users can login to the IPA Server with their AD credentials. Goal: Allow AD users to add and manage their own certificates for different services (VPN access and the like). The workflow would be something like: 1. Users adds a new CSR. (The user creates his key and generates the CSR locally) 2. IPA admins approve and issue the certificate. 3. The user downloads the certificate. "Local" IPA users can add certificate requests in their profile by clicking on Actions > New Certificate. AD users are only allowed to edit their profile description, GECOS, Login shell, add SSH public keys and add Certificates in PEM format, not add Certificate Requests.
Correct. AD users on IPA side represented as ID overrides in a 'Default Trust View' ID View. They are not users. When IPA CA processes certificate signing request, it is done through IPA server facade that does a number of checks to validate the requester and its rights to request and issue a certificate using defined profile. This code does not have support to process ID overrides as requesters. We probably can add this support as there is nothing fundamentally broken in doing so. The only problem is what SANs could be allowed for issuance. Of a particular 'no go' is the Kerberos principal -- since these are AD users, they cannot be used by IPA KDC as local principals, so their certificates should not have principals from local IPA realm. There might be other SAN types that is worth preventing. Also, CN would probably be somewhat mangled in this case and not exactly correspond to ID override's DN. This all is worth to file as a ticket with detailed use cases and proposals of a workflow and limitations, as well as security analysis.
We have tried a few things already: - Certificate Mappings. They are designed for user authentication to idm.ourdomain.local, no go.
Well, certificate mappings can also be used to map a certificate to a user from a trusted domain. This is normal and is actively used by various organizations because certificate mapping rules in IPA more flexible than in AD. In those cases people get their certificates issued by some other entity on tools like smartcards and IPA CA is not really used for that.
- From the docs https://www.freeipa.org/page/Active_Directory_trust_setup: Allow access for users from AD domain to protected resources: Which "protected resource" allows for users' certificates?
There is TLS certificate authentication that can be enabled for a web app, for example. A combination of mod_ssl + mod_lookup_identity + mod_auth_gssapi can turn a TLS client certificate authentication into a service ticket to itself (Kerberos S4U2Self extension) and then use it on behalf of the user to talk to other services (Kerberos S4U2Proxy extension). This, for example, can be enabled to IPA Web UI.
- From RH docs: CHAPTER 73. ENABLING AD USERS TO ADMINISTER IDM: AD users can administer IDM, but they cannot add a new Certificate Signing Request to their own profile.
As I said, there is currently no implementation in certificate issuance that would allow ID overrides to request certificates. Please open a ticket and work on a possible design how this could look like. You don't need to go deep to code level. Please list possible use cases and expected workflow to allow understanding possible drawbacks of this solution. -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
