Reported by abokovoy.
[root@id ~]# ipa certprofile-find ------------------ 2 profiles matched ------------------ Profile ID: caIPAserviceCert Profile description: Standard profile for network services Store issued certificates: TRUE Profile ID: caIPAsmimeCert Profile description: S/MIME certificates Store issued certificates: TRUE ---------------------------- Number of entries returned 2 ---------------------------- [root@id ~]# ipa certprofile-show caIPAsmimeCert Profile ID: caIPAsmimeCert Profile description: S/MIME certificates Store issued certificates: TRUE [root@id ~]# ipa caacl-find ----------------- 2 CA ACLs matched ----------------- ACL name: hosts_services_caIPAserviceCert Enabled: TRUE User category: all Host category: all Profiles: caIPAserviceCert ACL name: smime_acl Enabled: TRUE Profiles: caIPAsmimeCert User Groups: smime_users ---------------------------- Number of entries returned 2 ---------------------------- [root@id ~]# ipa group-show smime_users Group name: smime_users GID: 1792600006 Member users: abokovoy .... [abokovoy@onega freeipa-ca]$ ipa cert-request ab-vdali.csr --principal abokovoy --profile-id caIPAsmimeCert ipa: ERROR: Insufficient access: not allowed to perform this command
A user should be able to issue a certificate with an rfc822Name SAN (subject to caacl).
attachment freeipa-ftweedal-0035-Allow-SAN-extension-for-cert-request-self-service.patch
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1200694 (Red Hat Enterprise Linux 7)
master:
ipa-4-2:
Metadata Update from @ftweedal: - Issue assigned to ftweedal - Issue set to the milestone: FreeIPA 4.2.1
Login to comment on this ticket.