As IPA user with admin rights, I'd like to be able to request cert
While it seems a normal user can retrieve a cert, admin user can't
ipa certprofile-show --out user_cert.cfg caIPAserviceCert ; edit ; ipa certprofile-import user_cert --file user_cert.cfg --desc "Users Certificates"
ipa cert-request cert.csr --profile-id=user_cert --principal=admin
ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'userCertificate' attribute of entry 'uid=admin,cn=users,cn=accounts,dc=dev,dc=centos,dc=org'.
From server log, it seems due to default ACI :
[Mon Oct 12 15:58:46.710007 2020] [wsgi:error] [pid 11770:tid 139705718580992] [remote 172.19.4.145:46444] ipa: INFO: [jsonserver_session] admin@DEV.CENTOS.ORG: cert_request/1('-----BEGIN CERTIFICATE REQUEST-----\\nMIICVTCCAT0CAQAwEDEOMAwGA1UEAwwFYWRtaW4wggEiMA0GCSqGSIb3DQEBAQUA\\nA4IBDwAwggEKAoIBAQDT5tkCzMXIQQJOAciwgUX5KsZAyKcy1GCsnSW90gyLNicf\\nUdwNkAEKA3bcVj7wrPVmZ61kQeOFRctjt9OXt+rYbMSQ4csGaCt6etvHK9QRMK2I\\nCal7vLeQPMbu3lYcDFk2o1eKvMh2ybAdk6XN+/9LrBjr1vGCzg6ODiPHn4wF4Je3\\nCdb5KqO2EZEH+rqLdcCsspCndh7j6K+6MlhnX0ePvuxdkWGImRc8UyZ51DOHHdsj\\n7qVU3R7qqRfcOKu2du6hKLG0yXF4/+B9TZy61ZVmTC/UbDiz2nREOtCGCPQ3Bi7y\\nf56eXlxKBv/2YDuOWKRe903mMEoM0+1+kwA/VZdbAgMBAAGgADANBgkqhkiG9w0B\\nAQsFAAOCAQEAAijyLP+A95u8v9abQMFXyl65JaEIKQrjaKG8Q28VwizHhCXKWn3M\\n/cpHQSa5Z131fWKDf5MeMUbEaVfdtZEk/IsKayH99gKFPIims/1ofY8quezqk4ah\\nz6v9Qg48UxZkP1pTgwllKUUQfw2gkxpyN3wRQ8jVRi9jgtdFUpmeSLHaSsRI0JSK\\nSGBvZVYbo/VE+xxhWjYrpoMD5VGNBTZOy5SRBz1pdyLgZfR9qEpPJqYV2c/psGLq\\nGG/0uUHP8gynX2uo1F4NkXOy2mu0m5QXDT65Z+7X876dNr/WyjjCgDupLwriVjmz\\ne8k4XGzAJQdJbNyQjlhopuQgXt1uHLqpTw==\\n-----END CERTIFICATE REQUEST-----\\n', profile_id='user_cert', principal='admin', add=True, version='2.235'): ACIError
admin user able to retrieve a TLS cert
$ rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server :
ipa-server-4.8.4-7.module_el8.2.0+374+0d2d74a1.x86_64 ipa-client-4.8.4-7.module_el8.2.0+374+0d2d74a1.x86_64 389-ds-base-1.4.2.4-10.module_el8.2.0+489+38ed056a.x86_64 pki-ca-10.8.3-2.module_el8.2.0+371+f5726439.noarch krb5-server-1.17-18.el8.x86_64
Per discussion on irc, I was asked to report this here to see which workaround can be put in place
Forgot to mention that we have a CAACL in place to let users use that profile-id, as a generic user can follow same process and get his cert signed back
And just to add that I created another user, also with admin rights (member of admins and trust admins, like default admin ) and I could ask for a cert with same profile :
admin
ipa cert-request cert.csr --principal=arrfab_admin --profile-id=user_cert --help ipa cert-request cert.csr --principal=arrfab_admin --profile-id=user_cert --certificate-out=cert.crt <snip> Subject: CN=arrfab_admin,O=DEV.CENTOS.ORG Issuer: CN=Certificate Authority,O=DEV.CENTOS.ORG Not Before: Tue Oct 13 09:50:38 2020 UTC Not After: Fri Oct 14 09:50:38 2022 UTC Serial number: 19 Serial number (hex): 0x13
So probably not a "real" issue and probably ACI is really strict only on default 'admin' users but not other ones
The default admin user cannot have an attribute userCertificate because it does not have the object class inetOrgPerson nor any other object class with userCertificate attribute.
userCertificate
inetOrgPerson
@chimes : yes, what I discovered so probably a corner case (and yes, nobody should try - which I did as a test - to request a cert for the default admin user) .. We can close it as it's not really a bug .
Metadata Update from @arrfab: - Issue close_status updated to: invalid - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.