diff options
| author | Fraser Tweedale <ftweedal@redhat.com> | 2015-05-25 08:39:07 -0400 |
|---|---|---|
| committer | Jan Cholasta <jcholast@redhat.com> | 2015-06-11 10:50:31 +0000 |
| commit | bc0c60688505968daf6851e3e179aab20e23af7d (patch) | |
| tree | ea8cb740dfcd50ab46d73a350686502d80a902ec /install/updates | |
| parent | ae56ca422d1897569717fa44a5d483b10e490f6a (diff) | |
| download | freeipa-bc0c60688505968daf6851e3e179aab20e23af7d.tar.gz freeipa-bc0c60688505968daf6851e3e179aab20e23af7d.tar.xz freeipa-bc0c60688505968daf6851e3e179aab20e23af7d.zip | |
Add CA ACL plugin
Implement the caacl commands, which are used to indicate which
principals may be issued certificates from which (sub-)CAs, using
which profiles.
At this commit, and until sub-CAs are implemented, all rules refer
to the top-level CA (represented as ".") and no ca-ref argument is
exposed.
Also, during install and upgrade add a default CA ACL that permits
certificate issuance for all hosts and services using the profile
'caIPAserviceCert' on the top-level CA.
Part of: https://fedorahosted.org/freeipa/ticket/57
Part of: https://fedorahosted.org/freeipa/ticket/4559
Reviewed-By: Martin Basti <mbasti@redhat.com>
Diffstat (limited to 'install/updates')
| -rw-r--r-- | install/updates/20-indices.update | 18 | ||||
| -rw-r--r-- | install/updates/25-referint.update | 2 | ||||
| -rw-r--r-- | install/updates/41-caacl.update | 4 | ||||
| -rw-r--r-- | install/updates/Makefile.am | 1 |
4 files changed, 25 insertions, 0 deletions
diff --git a/install/updates/20-indices.update b/install/updates/20-indices.update index 880e73f3b..ed855b295 100644 --- a/install/updates/20-indices.update +++ b/install/updates/20-indices.update @@ -191,3 +191,21 @@ default:nsSystemIndex: false only:nsIndexType: eq only:nsIndexType: pres only:nsIndexType: sub + +dn: cn=ipaMemberCa,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config +default:cn: ipaMemberCa +default:ObjectClass: top +default:ObjectClass: nsIndex +default:nsSystemIndex: false +only:nsIndexType: eq +only:nsIndexType: pres +only:nsIndexType: sub + +dn: cn=ipaMemberCertProfile,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config +default:cn: ipaMemberCertProfile +default:ObjectClass: top +default:ObjectClass: nsIndex +default:nsSystemIndex: false +only:nsIndexType: eq +only:nsIndexType: pres +only:nsIndexType: sub diff --git a/install/updates/25-referint.update b/install/updates/25-referint.update index 005cd0376..3f78ee975 100644 --- a/install/updates/25-referint.update +++ b/install/updates/25-referint.update @@ -17,3 +17,5 @@ add: referint-membership-attr: ipasudorunasgroup add: referint-membership-attr: ipatokenradiusconfiglink add: referint-membership-attr: ipaassignedidview add: referint-membership-attr: ipaallowedtarget +add: referint-membership-attr: ipamemberca +add: referint-membership-attr: ipamembercertprofile diff --git a/install/updates/41-caacl.update b/install/updates/41-caacl.update new file mode 100644 index 000000000..a18b6ec94 --- /dev/null +++ b/install/updates/41-caacl.update @@ -0,0 +1,4 @@ +dn: cn=caacls,cn=ca,$SUFFIX +default: objectClass: nsContainer +default: objectClass: top +default: cn: caacls diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am index 1c7da35b2..2693e4f8f 100644 --- a/install/updates/Makefile.am +++ b/install/updates/Makefile.am @@ -34,6 +34,7 @@ app_DATA = \ 40-automember.update \ 40-certprofile.update \ 40-otp.update \ + 41-caacl.update \ 45-roles.update \ 50-7_bit_check.update \ 50-dogtag10-migration.update \ |