[Freeipa-devel] Unifying the PKI and IPA Directory Server instances
Adam Young
ayoung at redhat.com
Thu Nov 3 15:46:23 UTC 2011
On 11/03/2011 11:30 AM, Andrew Wnuk wrote:
> On 11/02/2011 03:19 PM, Rob Crittenden wrote:
>> Simo Sorce wrote:
>>> On Wed, 2011-11-02 at 16:44 -0400, Ade Lee wrote:
>>>> On Wed, 2011-11-02 at 16:03 -0400, Adam Young wrote:
>>> [...]
>>>> So, a user becomes an agent on the ca by having a certificate in the
>>>> user record and being a member of the relevant admin, agent or auditor
>>>> group.
>>>>
>>>> I see this as follows:
>>>> 1. ipa cms-user-add (add a user and add the auxilliary cmsuser object
>>>> class)
>>>> 2. ipa user-cert (contact the ca and get a certificate for this user,
>>>> add this cert to the user record in the ipa database)
>>>> 3. ipa group-add-member (add the user to the relevant group)
>>>>
>>>> At no point does PKI need to modify anything in the IPA database.
>>>
>>> Sounds reasonable.
>>> Can you post a link to the schema that would be added to IPA objects ?
>>>
>>> Simo.
>>>
>>
>> IIRC the user we create in CS now has the description attribute set
>> up in a very specific way. Is that still required?
>>
>> rob
>
> Steps 1 to 3 should have an option to be performed only by CS admins
> with certificate client authentication, otherwise we will break rules
> of secure CS configuration including separation of roles.
We had a long talk about that on the IPA call this morning.
In order to add someone to the PKIAdmin user-group, you need to have
the appropriate ACIs. We'd like to lock thos in, so that someone
messing around with IPA can't mess them up.
I'm not certain that the specific authentication mechanism is the issue
so much as you need to have a guarantee of authentication no less than
what Client Cert auth gives you. Kerberos authentication should
actually be as good: it will be enforced not just by the application,
but all the way down to the DS instance via ACIs.
>
> Andrew
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
More information about the Freeipa-devel
mailing list