[Freeipa-devel] Services in IPA v1 and migration to v2 - update
Dmitri Pal
dpal at redhat.com
Mon Dec 1 23:03:35 UTC 2008
Hi,
One of the things I was supposed to research is the current (v1)
implementation of the services in the IPA and how we need to change the
service object to allow certificate publishing.
I talked to Rob about it. Current implementation for service uses just a
kerberos schema. A service in the DS looks like this:
# host/vm225.gsslab.rdu.redhat.com at GSSLAB.RDU.REDHAT.COM, GSSLAB.RDU.REDHAT.COM, kerberos, gsslab.rdu.redhat.com
dn: krbprincipalname=host/vm225.gsslab.rdu.redhat.com at GSSLAB.RDU.REDHAT.COM,cn=GSSLAB.RDU.REDHAT.COM,cn=kerberos,dc=gsslab,dc=rdu,dc=redhat,dc=com
krbTicketFlags: 0
krbPrincipalName: host/vm225.gsslab.rdu.redhat.com at GSSLAB.RDU.REDHAT.COM
krbLastPwdChange: 20080505185058Z
krbExtraData:: AAISVx9Icm9vdC9hZG1pbkBHU1NMQUIuUkRVLlJFREhBVC5DT00A
objectClass: krbprincipal
objectClass: krbprincipalaux
objectClass: krbTicketPolicyAux
objectClass: top
krbPasswordExpiration: 19700101000000Z
or like this:
# HTTP/vm225.gsslab.rdu.redhat.com at GSSLAB.RDU.REDHAT.COM, GSSLAB.RDU.REDHAT.COM, kerberos, gsslab.rdu.redhat.com
dn: krbprincipalname=HTTP/vm225.gsslab.rdu.redhat.com at GSSLAB.RDU.REDHAT.COM,cn=GSSLAB.RDU.REDHAT.COM,cn=kerberos,dc=gsslab,dc=rdu,dc=redhat,dc=com
krbTicketFlags: 0
krbPrincipalName: HTTP/vm225.gsslab.rdu.redhat.com at GSSLAB.RDU.REDHAT.COM
krbLastPwdChange: 20080505185102Z
krbExtraData:: AAIWVx9Icm9vdC9hZG1pbkBHU1NMQUIuUkRVLlJFREhBVC5DT00A
objectClass: krbprincipal
objectClass: krbprincipalaux
objectClass: krbTicketPolicyAux
objectClass: top
krbPasswordExpiration: 19700101000000Z
To be able to publish certs into the service entry we need to have both
the kerberos attributes and attributes defined in the pkiUser object
class (RFC 4523):
( 2.5.6.21 NAME 'pkiUser'
DESC 'X.509 PKI User'
SUP top AUXILIARY
MAY userCertificate )
In IPA v1 when the entry is created it does not have any kerberos key
material until the ipa-getkeytab utility is used to generate keytab for
service.
It seems that it would be a simple migration task to apply pkiUser
object class to all entries in the services hive of the tree.
This would allow later publishing a certificate into a service if needed.
The management of the services would have to be changed also apply
pkiUser object class when the service entry will be created via UI or CLI.
If there are no objections or comments I will add this information to
the design page that talks about services.
Thanks
Dmitri
More information about the Freeipa-devel
mailing list