diff options
| author | Simo Sorce <simo@redhat.com> | 2016-12-02 06:48:35 -0500 |
|---|---|---|
| committer | Jan Cholasta <jcholast@redhat.com> | 2017-02-15 07:13:37 +0100 |
| commit | b6741d81e187fc84177c12ef8ad900d3b5cda6a4 (patch) | |
| tree | 32e5c708bb5f5c2d3552d34c881facc890ee4cf8 /install | |
| parent | b109f5d850ce13585d4392ca48896dc069a746e5 (diff) | |
| download | freeipa-b6741d81e187fc84177c12ef8ad900d3b5cda6a4.tar.gz freeipa-b6741d81e187fc84177c12ef8ad900d3b5cda6a4.tar.xz freeipa-b6741d81e187fc84177c12ef8ad900d3b5cda6a4.zip | |
Use Anonymous user to obtain FAST armor ccache
The anonymous user allows the framework to obtain an armor ccache without
relying on usable credentials, either via a keytab or a pkinit and
public certificates. This will be needed once the HTTP keytab is moved away
for privilege separation.
https://fedorahosted.org/freeipa/ticket/5959
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Diffstat (limited to 'install')
| -rw-r--r-- | install/share/Makefile.am | 1 | ||||
| -rw-r--r-- | install/share/anon-princ-aci.ldif | 10 | ||||
| -rw-r--r-- | install/updates/20-aci.update | 6 |
3 files changed, 17 insertions, 0 deletions
diff --git a/install/share/Makefile.am b/install/share/Makefile.am index 72f474a47..bb09c9882 100644 --- a/install/share/Makefile.am +++ b/install/share/Makefile.am @@ -27,6 +27,7 @@ dist_app_DATA = \ 70topology.ldif \ 71idviews.ldif \ 72domainlevels.ldif \ + anon-princ-aci.ldif \ bootstrap-template.ldif \ ca-topology.uldif \ caJarSigningCert.cfg.template \ diff --git a/install/share/anon-princ-aci.ldif b/install/share/anon-princ-aci.ldif new file mode 100644 index 000000000..384a500be --- /dev/null +++ b/install/share/anon-princ-aci.ldif @@ -0,0 +1,10 @@ +dn: krbPrincipalName=WELLKNOWN/ANONYMOUS@$REALM,cn=$REALM,cn=kerberos,$SUFFIX +changetype: modify +add: objectclass +objectclass: ipaAllowedOperations +- +add: aci +aci: (targetattr="ipaProtectedOperation;read_keys")(version 3.0; acl "Allow to retrieve keytab keys of the anonymous user"; allow(read) userattr="ipaAllowedToPerform;read_keys#GROUPDN";) +- +add: ipaAllowedToPerform;read_keys +ipaAllowedToPerform;read_keys: cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update index e9c10f54a..a15f9fec2 100644 --- a/install/updates/20-aci.update +++ b/install/updates/20-aci.update @@ -147,3 +147,9 @@ add:aci: (target = "ldap:///cn=*/($$dn),cn=dogtag,cn=custodia,cn=ipa,cn=etc,$SUF # Dogtag service principals can search Custodia keys add:aci: (target = "ldap:///cn=*,cn=custodia,cn=ipa,cn=etc,$SUFFIX")(targetattr = "ipaPublicKey || ipaKeyUsage || memberPrincipal")(version 3.0; acl "Dogtag service principals can search Custodia keys"; allow(read, search, compare) userdn = "ldap:///krbprincipalname=dogtag/*@$REALM,cn=services,cn=accounts,$SUFFIX";) + +# Anonymous Principal key retrieval +dn: krbPrincipalName=WELLKNOWN/ANONYMOUS@$REALM,cn=$REALM,cn=kerberos,$SUFFIX +addifexist: objectclass: ipaAllowedOperations +addifexist: aci: (targetattr="ipaProtectedOperation;read_keys")(version 3.0; acl "Allow to retrieve keytab keys of the anonymous user"; allow(read) userattr="ipaAllowedToPerform;read_keys#GROUPDN";) +addifexist: ipaAllowedToPerform;read_keys: cn=ipaservers,cn=hostgroups,cn=accounts,$SUFFIX |