When used within the FreeIPA project dogtag should allow authenticating using GSSAPI. Users can be mapped to the FreeIPA directory suffix in this case. Using GSSAPI would allow the IPA framework to foully delegate to dogtag's ACLs some operations requested by users.
It would be nice to ship support for GSSAPI authentication in Dogtag itself, and the IPA authorization plugin as part of IPA (IMO).
The feature request is related to #649, maybe even a duplicate of #649. I can't tell for sure because the other ticket has no description, just a title.
use-case 1: Use a GSSAPI-authenticated CA profile to issue a certificate via a GUI. The CA profile should support searching LDAP groups for authZ data, such that the $username@EXAMPLE.COM principal would be mapped to a LDAP DN. Membership in a LDAP groupofnames or groupofuniquenames group would authorize access to that specific profile.
$username@EXAMPLE.COM -> maps to uid=$username,ou=users,dc=example,dc=com cn=pki-user,ou=groups,dc=example,dc=com uniqueMember: uid=$username,ou=users,dc=example,dc=com would authorize access to that profile
This would give users self-service access to create certificates, but provide a facility for limiting what kind of certificates could be issued based on group.
use-case 2: same as above, but should work via pki cli command
use-case 3: agents should be able to authorize agent-approved certs via GSSAPI auth rather than certificate authentication in GUI.
use-case 4: agents should be able to authorize agent-approved certs via GSSAPI auth rather than certificate authentication in pki CLI.
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1303683
Pushing this to the 10.3 backlog after discussion with Ade and Fraser. This isn't needed for the first cut of Dogtag 10.3 since FreeIPA will not consume it yet.
Per CS Bug/Ticket Triage held 04/19/2016: 10.4
Confirmed with Fraser.
Note: we also want to add GSS-API support to the pki command line tool, so that it can use Kerberos ticket to authenticate as an alternative to X.509 cert.
pki
It may make sense to break that out as a separate ticket, but I'll leave it here as a comment for now.
Per Offline Triage of 11/30/2016-12/01/2016: 10.4 - blocker
Metadata Update from @simo: - Issue assigned to ftweedal - Issue set to the milestone: 10.4
7 patches pushed to master
Metadata Update from @ftweedal: - Custom field feature adjusted to '' - Custom field proposedmilestone adjusted to '' - Custom field proposedpriority adjusted to '' - Custom field reviewer adjusted to '' - Custom field version adjusted to '' - Issue close_status updated to: None
Per PKI Bug Council of 03/23/2017: downgrading to critical
Metadata Update from @mharmsen: - Issue priority set to: critical (was: blocker)
Five more commits to close this out:
Metadata Update from @ftweedal: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Metadata Update from @mharmsen: - Issue set to the milestone: 10.4.3 (was: 10.4)
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/1921
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.