#8540 Unable to get a x509 cert as admin user (through ipa cert-request)
Closed: invalid 3 years ago by arrfab. Opened 3 years ago by arrfab.

Request for enhancement

As IPA user with admin rights, I'd like to be able to request cert

Issue

While it seems a normal user can retrieve a cert, admin user can't

Steps to Reproduce

  1. create a profile ipa certprofile-show --out user_cert.cfg caIPAserviceCert ; edit ; ipa certprofile-import user_cert --file user_cert.cfg --desc "Users Certificates"
  2. as admin, try to request a cert : ipa cert-request cert.csr --profile-id=user_cert --principal=admin
  3. returned output is : ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'userCertificate' attribute of entry 'uid=admin,cn=users,cn=accounts,dc=dev,dc=centos,dc=org'.

Actual behavior

From server log, it seems due to default ACI :

[Mon Oct 12 15:58:46.710007 2020] [wsgi:error] [pid 11770:tid 139705718580992] [remote 172.19.4.145:46444] ipa: INFO: [jsonserver_session] admin@DEV.CENTOS.ORG: cert_request/1('-----BEGIN CERTIFICATE REQUEST-----\\nMIICVTCCAT0CAQAwEDEOMAwGA1UEAwwFYWRtaW4wggEiMA0GCSqGSIb3DQEBAQUA\\nA4IBDwAwggEKAoIBAQDT5tkCzMXIQQJOAciwgUX5KsZAyKcy1GCsnSW90gyLNicf\\nUdwNkAEKA3bcVj7wrPVmZ61kQeOFRctjt9OXt+rYbMSQ4csGaCt6etvHK9QRMK2I\\nCal7vLeQPMbu3lYcDFk2o1eKvMh2ybAdk6XN+/9LrBjr1vGCzg6ODiPHn4wF4Je3\\nCdb5KqO2EZEH+rqLdcCsspCndh7j6K+6MlhnX0ePvuxdkWGImRc8UyZ51DOHHdsj\\n7qVU3R7qqRfcOKu2du6hKLG0yXF4/+B9TZy61ZVmTC/UbDiz2nREOtCGCPQ3Bi7y\\nf56eXlxKBv/2YDuOWKRe903mMEoM0+1+kwA/VZdbAgMBAAGgADANBgkqhkiG9w0B\\nAQsFAAOCAQEAAijyLP+A95u8v9abQMFXyl65JaEIKQrjaKG8Q28VwizHhCXKWn3M\\n/cpHQSa5Z131fWKDf5MeMUbEaVfdtZEk/IsKayH99gKFPIims/1ofY8quezqk4ah\\nz6v9Qg48UxZkP1pTgwllKUUQfw2gkxpyN3wRQ8jVRi9jgtdFUpmeSLHaSsRI0JSK\\nSGBvZVYbo/VE+xxhWjYrpoMD5VGNBTZOy5SRBz1pdyLgZfR9qEpPJqYV2c/psGLq\\nGG/0uUHP8gynX2uo1F4NkXOy2mu0m5QXDT65Z+7X876dNr/WyjjCgDupLwriVjmz\\ne8k4XGzAJQdJbNyQjlhopuQgXt1uHLqpTw==\\n-----END CERTIFICATE REQUEST-----\\n', profile_id='user_cert', principal='admin', add=True, version='2.235'): ACIError

Expected behavior

admin user able to retrieve a TLS cert

Version/Release/Distribution

$ rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server :

ipa-server-4.8.4-7.module_el8.2.0+374+0d2d74a1.x86_64
ipa-client-4.8.4-7.module_el8.2.0+374+0d2d74a1.x86_64
389-ds-base-1.4.2.4-10.module_el8.2.0+489+38ed056a.x86_64
pki-ca-10.8.3-2.module_el8.2.0+371+f5726439.noarch
krb5-server-1.17-18.el8.x86_64

Per discussion on irc, I was asked to report this here to see which workaround can be put in place


Forgot to mention that we have a CAACL in place to let users use that profile-id, as a generic user can follow same process and get his cert signed back

And just to add that I created another user, also with admin rights (member of admins and trust admins, like default admin ) and I could ask for a cert with same profile :

ipa cert-request cert.csr --principal=arrfab_admin --profile-id=user_cert --help
ipa cert-request cert.csr --principal=arrfab_admin --profile-id=user_cert --certificate-out=cert.crt
<snip>
Subject: CN=arrfab_admin,O=DEV.CENTOS.ORG
  Issuer: CN=Certificate Authority,O=DEV.CENTOS.ORG
  Not Before: Tue Oct 13 09:50:38 2020 UTC
  Not After: Fri Oct 14 09:50:38 2022 UTC
  Serial number: 19
  Serial number (hex): 0x13

So probably not a "real" issue and probably ACI is really strict only on default 'admin' users but not other ones

The default admin user cannot have an attribute userCertificate because it does not have the object class inetOrgPerson nor any other object class with userCertificate attribute.

@chimes : yes, what I discovered so probably a corner case (and yes, nobody should try - which I did as a test - to request a cert for the default admin user) ..
We can close it as it's not really a bug .

Metadata Update from @arrfab:
- Issue close_status updated to: invalid
- Issue status updated to: Closed (was: Open)

3 years ago

Login to comment on this ticket.

Metadata