I'm looking into using <https://github.com/guilhem/freeipa-issuer> to request certificates from FreeIPA on behalf of a (FreeIPA) service.
The project authenticates to the FreeIPA API with a specified username and password: <https://github.com/guilhem/freeipa-issuer/blob/174d145616a672b09d3fdb56b2dd7c93612e483e/provisionners/freeipa.go#L38> I presume this means that it's only possible for it to authenticate to the FreeIPA API as a user, as opposed to a host or service. That being the case, I am trying to lock things down as much as possible, so that the user is only able to request certificates for a single service. I've had a read through Fraiser's excellent blog post <https://frasertweedale.github.io/blog-redhat/posts/2015-09-02-freeipa-cert-issuance-delegation.html> which points me towards creating a CA ACL, which I've done. The CA ACL links together the user, the service and for good measure I specified the CA and the profile too. But it's not sufficient to allow a certificate request to work, as when the issuer tries to ask for the certificate: Fail to request certificate: ACIError (2100): Insufficient access: not allowed to perform operations: request certificate Returning to the blog post, I gather I additionally need to grant the following two permissions to the user: * 'Request Certificate' * 'System: Modify Services' What I'd like to understand is the scope of these permissions. Does 'Request certificate' merely unlock the ability to make requests that are themselves constrained by CA ACLs? That being the case, this permission alone doesn't let the user request certificates for any other hosts or services, right? As for 'System: Modify Services': I guess granting this permission will allow the user to add certificates to *any* service? In which case, I suppose I need to create a new privilege that allows the usercertificate of a particular entry only to be modified. Are there any examples of this? Many thanks as always. -- Sam Morris <https://robots.org.uk/> PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9 _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
