Dear Alexander, Thank you for your message, it's been very helpful!
I stumbled upon a very relevant thread to which you also contributed: https://lists.fedorahosted.org/archives/list/[email protected]/thread/5IXBFOXMLFOZILHRA3KSGDGHC3LCBEHB/?sort=date This is exactly what we need: A client Idm member (certs-server), where ad_users can ssh and manage their certificates. In that thread you respond: "You'd need to create an ACL that would allow a host identity that certmonger uses to have write rights to the userCertificate attribute of the target user. You are already successfully passed CA ACL check because the framework tried to see if you have rights to actually write the resulting certificate (public cert) to the userCertficiate attribute of the target entry, so it was not a question whether you can issue (yes, you can) but whether you can store the cert (you cannot). A way to create that would be by utilizing permissions/roles system of FreeIPA. Something like this: ipa permission-add write-user-certificate-permission \ --right=write --attrs=userCertificate --type=user ipa privilege-add write-user-certificate-privilege ipa privilege-add-permission write-user-certificate-privilege \ --permissions=write-user-certificate-permission ipa role-add user-certificate-issuer ipa role-add-privilege user-certificate-issuer \ --privileges=write-user-certificate-privilege ipa role-add-member user-certificate-issuer \ --hosts=apex-openvpn" In order to replicate this we'd need to: 1. Enable Certmonger on the IDM server. 2. Create an ACL that "would allow a host identity that certmonger uses to have write rights to the userCertificate attribute of the target user" 3. AD users log in to the client machine certs-server (ssh) 4. Using Certmonger, generate a key and CSR. Do I understand correctly? > Please open a ticket and work on a possible design how this could look > like. You don't need to go deep to code level. Please list possible use > cases and expected workflow to allow understanding possible drawbacks of > this solution. How is this for a first draft? - New Feature: Allow AD users to manage their own certificates. - Rationale: AD users can currently authenticate to IDM client machines. There are additional services which need certificate based-authentication on a per-user or per-group basis such as VPN, web server. - Workflow: 1. The Certificate Management server (certs-server) is setup to host multiple services certificates: VPN, web-server-1, ... 2. Access is granted to AD user to the certs-server and to the relevant services. 3. The AD user logs in to the certs-server. 4. The AD user manages certificates to available services: manage keys and certificates' lifecycle. Pedro. _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
