diff options
author | Rob Crittenden <rcritten@redhat.com> | 2009-11-03 09:35:19 -0500 |
---|---|---|
committer | Jason Gerard DeRose <jderose@redhat.com> | 2009-11-03 09:04:05 -0700 |
commit | bd619adb5c1cfcd9e72c18896aded82e2ab33faa (patch) | |
tree | 749d6ef90707772a5146d03c6bc78ef59a5f664c /ipalib/plugins/service.py | |
parent | e4c119ed4b05fe600377360e697483bd59000b37 (diff) | |
download | freeipa-bd619adb5c1cfcd9e72c18896aded82e2ab33faa.tar.gz freeipa-bd619adb5c1cfcd9e72c18896aded82e2ab33faa.tar.xz freeipa-bd619adb5c1cfcd9e72c18896aded82e2ab33faa.zip |
Use a new mechanism for delegating certificate issuance.
Using the client IP address was a rather poor mechanism for controlling
who could request certificates for whom. Instead the client machine will
bind using the host service principal and request the certificate.
In order to do this:
* the service will need to exist
* the machine needs to be in the certadmin rolegroup
* the host needs to be in the managedBy attribute of the service
It might look something like:
admin
ipa host-add client.example.com --password=secret123
ipa service-add HTTP/client.example.com
ipa service-add-host --hosts=client.example.com HTTP/client.example.com
ipa rolegroup-add-member --hosts=client.example.com certadmin
client
ipa-client-install
ipa-join -w secret123
kinit -kt /etc/krb5.keytab host/client.example.com
ipa -d cert-request file://web.csr --principal=HTTP/client.example.com
Diffstat (limited to 'ipalib/plugins/service.py')
-rw-r--r-- | ipalib/plugins/service.py | 28 |
1 files changed, 27 insertions, 1 deletions
diff --git a/ipalib/plugins/service.py b/ipalib/plugins/service.py index 481a9f6d..449acbae 100644 --- a/ipalib/plugins/service.py +++ b/ipalib/plugins/service.py @@ -103,12 +103,16 @@ class service(LDAPObject): 'krbprincipal', 'krbprincipalaux', 'krbticketpolicyaux', 'ipaobject', 'ipaservice', 'pkiuser' ] - default_attributes = ['krbprincipalname', 'usercertificate'] + default_attributes = ['krbprincipalname', 'usercertificate', 'managedby'] uuid_attribute = 'ipauniqueid' attribute_names = { 'krbprincipalname': 'kerberos principal', 'usercertificate': 'user certificate', 'ipauniqueid': 'unique identifier', + 'managedby': 'managed by', + } + attribute_members = { + 'managedby': ['host'], } takes_params = ( @@ -131,6 +135,7 @@ class service_add(LDAPCreate): """ Add new service. """ + member_attributes = ['managedby'] takes_options = ( Flag('force', doc='force principal name even if not in DNS', @@ -176,6 +181,7 @@ class service_del(LDAPDelete): """ Delete an existing service. """ + member_attributes = ['managedby'] def pre_callback(self, ldap, dn, *keys, **options): if self.api.env.enable_ra: (dn, entry_attrs) = ldap.get_entry(dn, ['usercertificate']) @@ -192,6 +198,7 @@ class service_mod(LDAPUpdate): """ Modify service. """ + member_attributes = ['managedby'] def pre_callback(self, ldap, dn, entry_attrs, *keys, **options): cert = entry_attrs.get('usercertificate') if cert: @@ -213,6 +220,7 @@ class service_find(LDAPSearch): """ Search for services. """ + member_attributes = ['managedby'] def pre_callback(self, ldap, filter, attrs_list, base_dn, *args, **options): # lisp style! custom_filter = '(&(objectclass=ipaService)' \ @@ -233,6 +241,24 @@ class service_show(LDAPRetrieve): """ Display service. """ + member_attributes = ['managedby'] api.register(service_show) +class service_add_host(LDAPAddMember): + """ + Add members to service. + """ + member_attributes = ['managedby'] + +api.register(service_add_host) + + +class service_remove_host(LDAPRemoveMember): + """ + Remove members from service. + """ + member_attributes = ['managedby'] + +api.register(service_remove_host) + |