diff options
| author | Fraser Tweedale <ftweedal@redhat.com> | 2015-05-25 08:39:07 -0400 |
|---|---|---|
| committer | Jan Cholasta <jcholast@redhat.com> | 2015-06-11 10:50:31 +0000 |
| commit | bc0c60688505968daf6851e3e179aab20e23af7d (patch) | |
| tree | ea8cb740dfcd50ab46d73a350686502d80a902ec /install | |
| parent | ae56ca422d1897569717fa44a5d483b10e490f6a (diff) | |
| download | freeipa-bc0c60688505968daf6851e3e179aab20e23af7d.tar.gz freeipa-bc0c60688505968daf6851e3e179aab20e23af7d.tar.xz freeipa-bc0c60688505968daf6851e3e179aab20e23af7d.zip | |
Add CA ACL plugin
Implement the caacl commands, which are used to indicate which
principals may be issued certificates from which (sub-)CAs, using
which profiles.
At this commit, and until sub-CAs are implemented, all rules refer
to the top-level CA (represented as ".") and no ca-ref argument is
exposed.
Also, during install and upgrade add a default CA ACL that permits
certificate issuance for all hosts and services using the profile
'caIPAserviceCert' on the top-level CA.
Part of: https://fedorahosted.org/freeipa/ticket/57
Part of: https://fedorahosted.org/freeipa/ticket/4559
Reviewed-By: Martin Basti <mbasti@redhat.com>
Diffstat (limited to 'install')
| -rw-r--r-- | install/share/60certificate-profiles.ldif | 5 | ||||
| -rw-r--r-- | install/share/Makefile.am | 1 | ||||
| -rw-r--r-- | install/share/bootstrap-template.ldif | 6 | ||||
| -rw-r--r-- | install/share/default-caacl.ldif | 11 | ||||
| -rw-r--r-- | install/share/indices.ldif | 20 | ||||
| -rw-r--r-- | install/updates/20-indices.update | 18 | ||||
| -rw-r--r-- | install/updates/25-referint.update | 2 | ||||
| -rw-r--r-- | install/updates/41-caacl.update | 4 | ||||
| -rw-r--r-- | install/updates/Makefile.am | 1 |
9 files changed, 68 insertions, 0 deletions
diff --git a/install/share/60certificate-profiles.ldif b/install/share/60certificate-profiles.ldif index f1281949e..798c3a3b0 100644 --- a/install/share/60certificate-profiles.ldif +++ b/install/share/60certificate-profiles.ldif @@ -1,3 +1,8 @@ dn: cn=schema attributeTypes: (2.16.840.1.113730.3.8.21.1.1 NAME 'ipaCertProfileStoreIssued' DESC 'Store certificates issued using this profile' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE X-ORIGIN 'IPA v4.2' ) +attributeTypes: (2.16.840.1.113730.3.8.21.1.2 NAME 'ipaMemberCa' DESC 'Reference to a CA member' SUP distinguishedName EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'IPA v4.2' ) +attributeTypes: (2.16.840.1.113730.3.8.21.1.3 NAME 'ipaMemberCertProfile' DESC 'Reference to a certificate profile member' SUP distinguishedName EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 X-ORIGIN 'IPA v4.2' ) +attributeTypes: (2.16.840.1.113730.3.8.21.1.4 NAME 'ipaCaCategory' DESC 'Additional classification for CAs' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.2' ) +attributeTypes: (2.16.840.1.113730.3.8.21.1.5 NAME 'ipaCertProfileCategory' DESC 'Additional classification for certificate profiles' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'IPA v4.2' ) objectClasses: (2.16.840.1.113730.3.8.21.2.1 NAME 'ipaCertProfile' SUP top STRUCTURAL MUST ( cn $ description $ ipaCertProfileStoreIssued ) X-ORIGIN 'IPA v4.2' ) +objectClasses: (2.16.840.1.113730.3.8.21.2.2 NAME 'ipaCaAcl' SUP ipaAssociation STRUCTURAL MUST cn MAY ( ipaCaCategory $ ipaCertProfileCategory $ userCategory $ hostCategory $ serviceCategory $ ipaMemberCa $ ipaMemberCertProfile $ memberService ) X-ORIGIN 'IPA v4.2' ) diff --git a/install/share/Makefile.am b/install/share/Makefile.am index 5d8397bb1..53f0ecf01 100644 --- a/install/share/Makefile.am +++ b/install/share/Makefile.am @@ -29,6 +29,7 @@ app_DATA = \ bootstrap-template.ldif \ caJarSigningCert.cfg.template \ default-aci.ldif \ + default-caacl.ldif \ default-hbac.ldif \ default-smb-group.ldif \ default-trust-view.ldif \ diff --git a/install/share/bootstrap-template.ldif b/install/share/bootstrap-template.ldif index c5d4bad8b..2387f220f 100644 --- a/install/share/bootstrap-template.ldif +++ b/install/share/bootstrap-template.ldif @@ -441,3 +441,9 @@ changetype: add objectClass: nsContainer objectClass: top cn: certprofiles + +dn: cn=caacls,cn=ca,$SUFFIX +changetype: add +objectClass: nsContainer +objectClass: top +cn: caacls diff --git a/install/share/default-caacl.ldif b/install/share/default-caacl.ldif new file mode 100644 index 000000000..f3cd5b4d4 --- /dev/null +++ b/install/share/default-caacl.ldif @@ -0,0 +1,11 @@ +# default CA ACL that grants use of caIPAserviceCert on top-level CA to all hosts and services +dn: ipauniqueid=autogenerate,cn=caacls,cn=ca,$SUFFIX +changetype: add +objectclass: ipaassociation +objectclass: ipacaacl +ipauniqueid: autogenerate +cn: hosts_services_caIPAserviceCert +ipaenabledflag: TRUE +ipamembercertprofile: cn=caIPAserviceCert,cn=certprofiles,cn=ca,$SUFFIX +hostcategory: all +servicecategory: all diff --git a/install/share/indices.ldif b/install/share/indices.ldif index ad678e0b2..70a587d7a 100644 --- a/install/share/indices.ldif +++ b/install/share/indices.ldif @@ -227,3 +227,23 @@ ObjectClass: top ObjectClass: nsIndex nsSystemIndex: false nsIndexType: eq + +dn: cn=ipaMemberCa,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config +changetype: add +cn: ipaMemberCa +ObjectClass: top +ObjectClass: nsIndex +nsSystemIndex: false +nsIndexType: eq +nsIndexType: pres +nsIndexType: sub + +dn: cn=ipaMemberCertProfile,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config +changetype: add +cn: ipaMemberCertProfile +ObjectClass: top +ObjectClass: nsIndex +nsSystemIndex: false +nsIndexType: eq +nsIndexType: pres +nsIndexType: sub diff --git a/install/updates/20-indices.update b/install/updates/20-indices.update index 880e73f3b..ed855b295 100644 --- a/install/updates/20-indices.update +++ b/install/updates/20-indices.update @@ -191,3 +191,21 @@ default:nsSystemIndex: false only:nsIndexType: eq only:nsIndexType: pres only:nsIndexType: sub + +dn: cn=ipaMemberCa,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config +default:cn: ipaMemberCa +default:ObjectClass: top +default:ObjectClass: nsIndex +default:nsSystemIndex: false +only:nsIndexType: eq +only:nsIndexType: pres +only:nsIndexType: sub + +dn: cn=ipaMemberCertProfile,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config +default:cn: ipaMemberCertProfile +default:ObjectClass: top +default:ObjectClass: nsIndex +default:nsSystemIndex: false +only:nsIndexType: eq +only:nsIndexType: pres +only:nsIndexType: sub diff --git a/install/updates/25-referint.update b/install/updates/25-referint.update index 005cd0376..3f78ee975 100644 --- a/install/updates/25-referint.update +++ b/install/updates/25-referint.update @@ -17,3 +17,5 @@ add: referint-membership-attr: ipasudorunasgroup add: referint-membership-attr: ipatokenradiusconfiglink add: referint-membership-attr: ipaassignedidview add: referint-membership-attr: ipaallowedtarget +add: referint-membership-attr: ipamemberca +add: referint-membership-attr: ipamembercertprofile diff --git a/install/updates/41-caacl.update b/install/updates/41-caacl.update new file mode 100644 index 000000000..a18b6ec94 --- /dev/null +++ b/install/updates/41-caacl.update @@ -0,0 +1,4 @@ +dn: cn=caacls,cn=ca,$SUFFIX +default: objectClass: nsContainer +default: objectClass: top +default: cn: caacls diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am index 1c7da35b2..2693e4f8f 100644 --- a/install/updates/Makefile.am +++ b/install/updates/Makefile.am @@ -34,6 +34,7 @@ app_DATA = \ 40-automember.update \ 40-certprofile.update \ 40-otp.update \ + 41-caacl.update \ 45-roles.update \ 50-7_bit_check.update \ 50-dogtag10-migration.update \ |