Issue #8087: Implicit CA ACL for IPA services - freeipa

freeipa

#8087 Implicit CA ACL for IPA services

Opened 4 years ago by ftweedal. Modified 3 years ago

Request for enhancement

Disabling the default CA ACL can cause issues. Indeed, we want to avoid any situation where renewal of IPA system certs can fail due to administrator disabling a CA ACL.

Therefore, hard code the following rule in the cert_request command:

If the operator principal is an IPA server host pricipal
and the subject principal is a service type HTTP/ or ldap/ for the same host
then allow the caIPAserviceCert profile to be used (CA ACLs need not be consulted)

Tests should be written that disable CA ACLs and check that HTTP/ldap cert renewals work.

Also need to check how the KDC certificate fits into this picture.

Also need to check what happens during replica installation (e.g. what principal requests the certificates; does the above rule handle this scenario or is something more needed?)

Metadata Update from @ftweedal:
- Assignee reset

3 years ago

Metadata

Assignee

None

Tags

Blocking

None

Depending on

None

Priority

None

Milestone

None

affects_doc

None

source

None

knownissue

None

type

None

blockedby

None

test_case

None

component

None

blocking

None

on_review

None

keywords

None

test_coverage

None

reviewer

None

external_tracker

None

rhbz

None

tester

None

changelog

None

design

None

freeipa

Source Code

#8087 Implicit CA ACL for IPA services Opened 4 years ago by ftweedal. Modified 3 years ago

Close issue as:

Request for enhancement

Metadata

robustness Falcon

#8087 Implicit CA ACL for IPA services

Opened 4 years ago by ftweedal. Modified 3 years ago