When admin wants to issue certificate for self using ipa cert-request command, it fails with following error: ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'userCertificate' attribute of entry 'uid=admin,cn=users,cn=accounts,dc=dom-example,dc=com'.
ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'userCertificate' attribute of entry 'uid=admin,cn=users,cn=accounts,dc=dom-example,dc=com'.
Admin can issue certificates for other users.
Steps to reproduce: 1. Create CSR for admin 2. Use WebUI (New certificate in Actions on admin details page) or CLI (ipa cert-request) 3. Use created CSR 4. Error occures
IPA version: 4.4.90.dev201702131103+git8d3bea8
Metadata Update from @pvomacka: - Issue assigned to someone - Issue set to the milestone: 0.0 NEEDS_TRIAGE
Metadata Update from @pvoborni: - Custom field affects_doc reset - Custom field tester adjusted to wanted - Issue close_status updated to: None - Issue set to the milestone: Future Releases (was: 0.0 NEEDS_TRIAGE)
While that's probably obvious, the same problem occurs even for ipa user-mod --certificate=... and ipa user-add-cert.
ipa user-mod --certificate=...
ipa user-add-cert
Slightly different error these days but likely same underlying issue exists:
ipa user-mod --certificate=`cat /tmp/test.crt` admin ipa: ERROR: attribute "userCertificate;binary" not allowed
Me 2. I was following "How to test" on https://www.freeipa.org/page/V4/User_Certificates , and ran into the same issue. FreeIPA 4.7.2 on Fedora 29 on both server and client.
Adding a certificate for another user works fine. So apparently an admin can't add a certificate for themselves.
Login to comment on this ticket.