#4567 [RFE] Add access control so hosts can create their own services
Closed: Fixed None Opened 7 years ago by rcritten.

Today hosts can write to values in only its managed services but it cannot create those services. This is due to missing aci capabilities, mostly because a host and service are not in a hierarchical parent/child relationship.

This will need to limit the krbprincipalname of the service to match the fqdn of the host entry, ideally also confirming that managedby contains the host fqdn.

One use case for this is certmonger, requesting a certificate for a non-existent service on the host. Certmonger today always includes the --add option to attempt service creation if it does not already exists. It fails today with an error about not being in the serviceadmin role (because a host can't add services by default).

There is an RFE against 389-ds to add a new ACI type to achieve this: https://fedorahosted.org/389/ticket/47904

The certmonger use case is described also in already triaged ticket: https://fedorahosted.org/freeipa/ticket/4540#comment:2

Rob should have some cycles to help with this one.

Another certmonger related ticket that would benefit from this RFE - #4918.

I should mention that this requires 389-ds-base which contains an ACI wildcard fix, https://fedorahosted.org/389/ticket/48141


  • ce50630 Add ACI to allow hosts to add their own services

Metadata Update from @rcritten:
- Issue assigned to rcritten
- Issue set to the milestone: FreeIPA 4.2

4 years ago

Login to comment on this ticket.