summaryrefslogtreecommitdiffstats
path: root/install/updates
diff options
context:
space:
mode:
authorRob Crittenden <rcritten@redhat.com>2009-10-20 11:59:07 -0400
committerJason Gerard DeRose <jderose@redhat.com>2009-10-21 03:22:44 -0600
commit453a19fcaca9c2be1e3d0e78b734bd05e7d50764 (patch)
tree76d5a8516f1d515e74da848050eae32732a64fad /install/updates
parentaa2183578cb58d9f55b5f1b64c13627b88dae37c (diff)
downloadfreeipa-453a19fcaca9c2be1e3d0e78b734bd05e7d50764.zip
freeipa-453a19fcaca9c2be1e3d0e78b734bd05e7d50764.tar.gz
freeipa-453a19fcaca9c2be1e3d0e78b734bd05e7d50764.tar.xz
First pass at enforcing certificates be requested from same host
We want to only allow a machine to request a certificate for itself, not for other machines. I've added a new taksgroup which will allow this. The requesting IP is resolved and compared to the subject of the CSR to determine if they are the same host. The same is done with the service principal. Subject alt names are not queried yet. This does not yet grant machines actual permission to request certificates yet, that is still limited to the taskgroup request_certs.
Diffstat (limited to 'install/updates')
-rw-r--r--install/updates/40-delegation.update42
1 files changed, 37 insertions, 5 deletions
diff --git a/install/updates/40-delegation.update b/install/updates/40-delegation.update
index b07dfc7..1be1789 100644
--- a/install/updates/40-delegation.update
+++ b/install/updates/40-delegation.update
@@ -292,6 +292,13 @@ add:cn: removeservices
add:description: Remove Services
add:member:'cn=serviceadmin,cn=rolegroups,cn=accounts,$SUFFIX'
+dn: cn=modifyservices,cn=taskgroups,cn=accounts,$SUFFIX
+add:objectClass: top
+add:objectClass: nestedgroup
+add:cn: modifyservices
+add:description: Modify Services
+add:member:'cn=serviceadmin,cn=rolegroups,cn=accounts,$SUFFIX'
+
# Add the ACIs that grant these permissions for service administration
dn: $SUFFIX
@@ -301,6 +308,10 @@ add:aci: '(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,
add:aci: '(target = "ldap:///krbprincipalname=*,cn=services,cn=accounts,
$SUFFIX")(version 3.0;acl "Remove Services";allow (delete) groupdn = "ldap
:///cn=removeservices,cn=taskgroups,cn=accounts,$SUFFIX";)'
+add:aci: '(targetattr = "userCertificate")(target = "ldap:///krbprincipal
+ name=*,cn=services,cn=accounts,$SUFFIX")(version 3.0;acl "Modify Services"
+ ;allow (write) groupdn = "ldap:///cn=modifyservices,cn=taskgroups,cn=acco
+ unts,$SUFFIX";)'
# Add the taskgroups referenced by the ACIs for delegation administration
# This just lets one manage taskgroup membership and create and delete roles
@@ -522,7 +533,7 @@ add:cn: request certificate
dn: cn=request_certs,cn=taskgroups,cn=accounts,$SUFFIX
add:objectClass: top
add:objectClass: nestedgroup
-add:cn: reqeust_certs
+add:cn: request_certs
add:description: Request a SSL Certificate
add:member:'cn=certadmin,cn=rolegroups,cn=accounts,$SUFFIX'
@@ -533,6 +544,27 @@ add: aci: '(targetattr = "objectClass")(target =
CA" ; allow (write) groupdn = "ldap:///cn=request_certs,cn=taskgroups,
cn=accounts,$SUFFIX";)'
+# Request Certificate from different host virtual op
+dn: cn=request certificate different host,cn=virtual operations,$SUFFIX
+add:objectClass: top
+add:objectClass: nsContainer
+add:cn: request certificate different host
+
+# Taskgroup for requesting certs from a different host
+dn: cn=request_cert_different_host,cn=taskgroups,cn=accounts,$SUFFIX
+add:objectClass: top
+add:objectClass: nestedgroup
+add:cn: request_cert_different_host
+add:description: Request a SSL Certificate from a different host
+add:member:'cn=certadmin,cn=rolegroups,cn=accounts,$SUFFIX'
+
+dn: $SUFFIX
+add: aci: '(targetattr = "objectClass")(target =
+ "ldap:///cn=request certificate different host,cn=virtual operations,
+ $SUFFIX" )(version 3.0 ; acl "Request Certificates from a
+ different host" ; allow (write) groupdn = "ldap:///cn=request_cert
+ _different_host,cn=taskgroups,cn=accounts,$SUFFIX";)'
+
# Certificate Status virtual op
dn: cn=certificate status,cn=virtual operations,$SUFFIX
add:objectClass: top
@@ -543,7 +575,7 @@ add:cn: certificate status
dn: cn=certificate_status,cn=taskgroups,cn=accounts,$SUFFIX
add:objectClass: top
add:objectClass: nestedgroup
-add:cn: reqeust_certs
+add:cn: certificate_status
add:description: Status of cert request
add:member:'cn=certadmin,cn=rolegroups,cn=accounts,$SUFFIX'
@@ -564,7 +596,7 @@ add:cn: revoke certificate
dn: cn=revoke_certificate,cn=taskgroups,cn=accounts,$SUFFIX
add:objectClass: top
add:objectClass: nestedgroup
-add:cn: reqeust_certs
+add:cn: revoke_certificate
add:description: Revoke Certificate
add:member:'cn=certadmin,cn=rolegroups,cn=accounts,$SUFFIX'
@@ -585,7 +617,7 @@ add:cn: revoke certificate
dn: cn=revoke_certificate,cn=taskgroups,cn=accounts,$SUFFIX
add:objectClass: top
add:objectClass: nestedgroup
-add:cn: reqeust_certs
+add:cn: revoke_certificate
add:description: Revoke Certificate
add:member:'cn=certadmin,cn=rolegroups,cn=accounts,$SUFFIX'
@@ -606,7 +638,7 @@ add:cn: certificate remove hold
dn: cn=certificate_remove_hold,cn=taskgroups,cn=accounts,$SUFFIX
add:objectClass: top
add:objectClass: nestedgroup
-add:cn: reqeust_certs
+add:cn: certificate_remove_hold
add:description: Certificate Remove Hold
add:member:'cn=certadmin,cn=rolegroups,cn=accounts,$SUFFIX'