diff options
author | Jan Cholasta <jcholast@redhat.com> | 2014-06-18 09:02:03 +0200 |
---|---|---|
committer | Martin Kosek <mkosek@redhat.com> | 2014-06-24 12:10:01 +0200 |
commit | d6fb110b77e2c585f0bfc5eb11b0187a43263fa1 (patch) | |
tree | 2c04b98499f234bbd8f443e141b41670237ee64b /install/updates/40-delegation.update | |
parent | e675e427c713e41a5384d329bf453a998a70bb13 (diff) | |
download | freeipa-d6fb110b77e2c585f0bfc5eb11b0187a43263fa1.tar.gz freeipa-d6fb110b77e2c585f0bfc5eb11b0187a43263fa1.tar.xz freeipa-d6fb110b77e2c585f0bfc5eb11b0187a43263fa1.zip |
Support requests with SAN in cert-request.
For each SAN in a request there must be a matching service entry writable by
the requestor. Users can request certificates with SAN only if they have
"Request Certificate With SubjectAltName" permission.
https://fedorahosted.org/freeipa/ticket/3977
Reviewed-By: Martin Kosek <mkosek@redhat.com>
Diffstat (limited to 'install/updates/40-delegation.update')
-rw-r--r-- | install/updates/40-delegation.update | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update index 7d65e9e19..8c711612c 100644 --- a/install/updates/40-delegation.update +++ b/install/updates/40-delegation.update @@ -308,6 +308,21 @@ default:objectClass: top default:objectClass: nsContainer default:cn: certificate remove hold +dn: cn=request certificate with subjectaltname,cn=virtual operations,cn=etc,$SUFFIX +default:objectClass: top +default:objectClass: nsContainer +default:cn: request certificate with subjectaltname + +dn: cn=Request Certificate with SubjectAltName,cn=permissions,cn=pbac,$SUFFIX +default:objectClass: top +default:objectClass: groupofnames +default:objectClass: ipapermission +default:cn: Request Certificate with SubjectAltName +default:member: cn=Certificate Administrators,cn=privileges,cn=pbac,$SUFFIX + +dn: $SUFFIX +add:aci:'(targetattr = "objectclass")(target = "ldap:///cn=request certificate with subjectaltname,cn=virtual operations,cn=etc,$SUFFIX" )(version 3.0; acl "permission:Request Certificate with SubjectAltName"; allow (write) groupdn = "ldap:///cn=Request Certificate with SubjectAltName,cn=permissions,cn=pbac,$SUFFIX";)' + # Read privileges dn: cn=RBAC Readers,cn=privileges,cn=pbac,$SUFFIX |