[Freeipa-users] Duplicate certificate tracking request

2019-06-14 Thread Remco Kranenburg via FreeIPA-users 
Hi all,

We noticed that we have a duplicate tracking request for a certificate.
Is this normal, or can we remove one of them? We suspect that this
happened because we migrated our systems to another provider and we
made a mistake with FreeIPA.

The tracking requests as reported by getcert:

Request ID '20170801134610':
status: MONITORING
stuck: no
key pair storage:
type=FILE,location='/etc/ssl/private/ipa_host.key'
certificate: type=FILE,location='/etc/ssl/certs/ipa_host.crt'
CA: IPA
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=ipa.example.com,O=EXAMPLE.COM
expires: 2021-01-07 15:03:30 UTC
dns: ipa.example.com
principal name: host/ipa.example@example.com
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: 
post-save command: 
track: yes
auto-renew: yes
Request ID '20190107150328':
status: MONITORING
stuck: no
key pair storage:
type=FILE,location='/etc/ssl/private/ipa_host.key'
certificate: type=FILE,location='/etc/ssl/certs/ipa_host.crt'
CA: IPA
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=ipa.example.com,O=EXAMPLE.COM
expires: 2021-01-07 15:03:30 UTC
dns: ipa.example.com
principal name: host/ipa.example@example.com
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: 
post-save command: 
track: yes
auto-renew: yes


--
Remco Kranenburg
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

[Freeipa-users] Is the admins group special?

2018-11-21 Thread Remco Kranenburg via FreeIPA-users 
Hi all,

We received a question from one of our auditors about who has the
permission to do certain actions in FreeIPA itself. This is managed by
the RBAC system: you can for example configure that certain groups are
allowed to manage certain parts of FreeIPA.

We currently only have two roles: normal users and admins. Normal users
have the default self-service permissions, and admins can do anything
within FreeIPA. However, for that last part we cannot figure out how
this is specified within FreeIPA. There is no RBAC role that gives
admins all permissions.

Is the admins group maybe special, in that it is hardcoded to be able
to change anything within FreeIPA?

--
Remco Kranenburg
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org