[Freeipa-devel] Services in IPA v1 and migration to v2 - update

Dmitri Pal dpal at redhat.com
Mon Dec 1 23:03:35 UTC 2008 

Hi,

One of the things I was supposed to research is the current (v1) 
implementation of the services in the IPA and how we need to change the 
service object to allow certificate publishing.
I talked to Rob about it. Current implementation for service uses just a 
kerberos schema. A service in the DS looks like this:

   # host/vm225.gsslab.rdu.redhat.com at GSSLAB.RDU.REDHAT.COM, GSSLAB.RDU.REDHAT.COM, kerberos, gsslab.rdu.redhat.com
   dn: krbprincipalname=host/vm225.gsslab.rdu.redhat.com at GSSLAB.RDU.REDHAT.COM,cn=GSSLAB.RDU.REDHAT.COM,cn=kerberos,dc=gsslab,dc=rdu,dc=redhat,dc=com
   krbTicketFlags: 0
   krbPrincipalName: host/vm225.gsslab.rdu.redhat.com at GSSLAB.RDU.REDHAT.COM
   krbLastPwdChange: 20080505185058Z
   krbExtraData:: AAISVx9Icm9vdC9hZG1pbkBHU1NMQUIuUkRVLlJFREhBVC5DT00A
   objectClass: krbprincipal
   objectClass: krbprincipalaux
   objectClass: krbTicketPolicyAux
   objectClass: top
   krbPasswordExpiration: 19700101000000Z


or like this:

   # HTTP/vm225.gsslab.rdu.redhat.com at GSSLAB.RDU.REDHAT.COM, GSSLAB.RDU.REDHAT.COM, kerberos, gsslab.rdu.redhat.com
   dn: krbprincipalname=HTTP/vm225.gsslab.rdu.redhat.com at GSSLAB.RDU.REDHAT.COM,cn=GSSLAB.RDU.REDHAT.COM,cn=kerberos,dc=gsslab,dc=rdu,dc=redhat,dc=com
   krbTicketFlags: 0
   krbPrincipalName: HTTP/vm225.gsslab.rdu.redhat.com at GSSLAB.RDU.REDHAT.COM
   krbLastPwdChange: 20080505185102Z
   krbExtraData:: AAIWVx9Icm9vdC9hZG1pbkBHU1NMQUIuUkRVLlJFREhBVC5DT00A
   objectClass: krbprincipal
   objectClass: krbprincipalaux
   objectClass: krbTicketPolicyAux
   objectClass: top
   krbPasswordExpiration: 19700101000000Z

To be able to publish certs into the service entry we need to have both 
the kerberos attributes and attributes defined in the pkiUser object 
class (RFC 4523):

      ( 2.5.6.21 NAME 'pkiUser'
           DESC 'X.509 PKI User'
           SUP top AUXILIARY
           MAY userCertificate )


In IPA v1 when the entry is created it does not have any kerberos key 
material until the ipa-getkeytab utility is used to generate keytab for 
service.
It seems that it would be a simple migration task to apply pkiUser 
object class to all entries in the services hive of the tree.
This would allow later publishing a certificate into a service if needed.
The management of the services would have to be changed also apply 
pkiUser object class  when the service entry will be created via UI or CLI.
 
If there are no objections or comments I will add this information to 
the design page that talks about services.

Thanks
Dmitri

More information about the Freeipa-devel mailing list