Hello,
I am setting up a CA and am rather confused about how to set up my RBAC.
My public interface lets users in without them needing to present a certificate. My RA interface lets RAs in only when they present a valid certificate with role=RA.
In its current configuration, users can execute RA commands, so I need by RBAC setup to only allow execution of these commands with an RA certificate.
At the moment, my pub.xml.template file contains the following lines:
<acl_config> <acl>yes</acl> <list>/usr/local/OpenCA/etc/rbac/acl.xml</list>
<command_dir>/usr/local/OpenCA/etc/rbac/cmds</command_dir> <module_id>@pub_module_id@</module_id> <map_role>no</map_role> <map_operation>yes<map_operation>
</acl_config>
If I set map_role to yes, users get the following error:
Error 6293017
General Error There is a problem with the configuration. A user can only be mapped to a role if the identification uses certificates.
My acl.xml.template contains the following:
<openca>
<access_control>
<acl>
<!-- Everyone has access to the public module -->
<permission>
<module>@pub_module_id@</module>
<role>.*</role>
<operation>.*</operation>
<owner>.*</owner>
</permission>
<!-- RAs and CAs have access to the RA/node interfaces -->
<permission>
<module>@ra_module_id@</module>
<role>RA Operator</role>
<operation>.*</operation>
<owner>.*</owner>
</permission>
<permission>
.
.
.
Many thanksMatt
------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Openca-Users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openca-users
