diff options
| author | Fraser Tweedale <ftweedal@redhat.com> | 2016-07-12 15:11:11 +1000 |
|---|---|---|
| committer | Petr Vobornik <pvoborni@redhat.com> | 2016-07-13 18:34:17 +0200 |
| commit | 8cd87d12d53a98a8e386c06a7c5fddb1d38d990d (patch) | |
| tree | 2a89d4ad278d93da93702db3337652741e0ca04b /ipaserver | |
| parent | 9feeaca9fb552229638ce98086aa75905a45b48d (diff) | |
| download | freeipa-8cd87d12d53a98a8e386c06a7c5fddb1d38d990d.tar.gz freeipa-8cd87d12d53a98a8e386c06a7c5fddb1d38d990d.tar.xz freeipa-8cd87d12d53a98a8e386c06a7c5fddb1d38d990d.zip | |
caacl: expand plugin documentation
Expand the 'caacl' plugin documentation to explain some common
confusions including the fact that CA ACLs apply to the target
subject principal (not necessarily the principal requesting the
cert), and the fact that CA-less CA ACL implies the 'ipa' CA.
Fixes: https://fedorahosted.org/freeipa/ticket/6002
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Diffstat (limited to 'ipaserver')
| -rw-r--r-- | ipaserver/plugins/caacl.py | 34 |
1 files changed, 28 insertions, 6 deletions
diff --git a/ipaserver/plugins/caacl.py b/ipaserver/plugins/caacl.py index 9a60f7e27..d316cc7c4 100644 --- a/ipaserver/plugins/caacl.py +++ b/ipaserver/plugins/caacl.py @@ -23,14 +23,36 @@ if six.PY3: __doc__ = _(""" Manage CA ACL rules. -This plugin is used to define rules governing which principals are -permitted to have certificates issued using a given certificate -profile. +This plugin is used to define rules governing which CAs and profiles +may be used to issue certificates to particular principals or groups +of principals. -PROFILE ID SYNTAX: +SUBJECT PRINCIPAL SCOPE: -A Profile ID is a string without spaces or punctuation starting with a letter -and followed by a sequence of letters, digits or underscore ("_"). +For a certificate request to be allowed, the principal(s) that are +the subject of a certificate request (not necessarily the principal +actually requesting the certificate) must be included in the scope +of a CA ACL that also includes the target CA and profile. + +Users can be included by name, group or the "all users" category. +Hosts can be included by name, hostgroup or the "all hosts" +category. Services can be included by service name or the "all +services" category. CA ACLs may be associated with a single type of +principal, or multiple types. + +CERTIFICATE AUTHORITY SCOPE: + +A CA ACL can be associated with one or more CAs by name, or by the +"all CAs" category. For compatibility reasons, a CA ACL with no CA +association implies an association with the 'ipa' CA (and only this +CA). + +PROFILE SCOPE: + +A CA ACL can be associated with one or more profiles by Profile ID. +The Profile ID is a string without spaces or punctuation starting +with a letter and followed by a sequence of letters, digits or +underscore ("_"). EXAMPLES: |