Commit Graph

11 Commits

Author SHA1 Message Date
Rob Crittenden
453a19fcac First pass at enforcing certificates be requested from same host
We want to only allow a machine to request a certificate for itself, not for
other machines. I've added a new taksgroup which will allow this.

The requesting IP is resolved and compared to the subject of the CSR to
determine if they are the same host. The same is done with the service
principal. Subject alt names are not queried yet.

This does not yet grant machines actual permission to request certificates
yet, that is still limited to the taskgroup request_certs.
2009-10-21 03:22:44 -06:00
Rob Crittenden
383492866e Fix ACI for host delegation
We had changed the DN format, I must have missed these ACIs the first
go around.
2009-10-17 22:51:53 -06:00
Rob Crittenden
f838e7e18b Fix an oops where I forgot to replace a string with a template 2009-10-17 22:08:50 -06:00
Rob Crittenden
b4cef3b79b Use nestedgroup instead of groupofnames for rolegroups so we have memberof 2009-10-12 09:40:49 -04:00
Rob Crittenden
d0587cbdd5 Enrollment for a host in an IPA domain
This will create a host service principal and may create a host entry (for
admins).  A keytab will be generated, by default in /etc/krb5.keytab
If no kerberos credentails are available then enrollment over LDAPS is used
if a password is provided.

This change requires that openldap be used as our C LDAP client. It is much
easier to do SSL using openldap than mozldap (no certdb required). Otherwise
we'd have to write a slew of extra code to create a temporary cert database,
import the CA cert, ...
2009-09-24 17:45:49 -06:00
Rob Crittenden
e31d5fb1cf Implement support for non-LDAP-based actions that use the LDAP ACI subsystem.
There are some operations, like those for the certificate system, that
don't need to write to the directory server. So instead we have an entry
that we test against to determine whether the operation is allowed or not.

This is done by attempting a write on the entry. If it would succeed then
permission is granted. If not then denied. The write we attempt is actually
invalid so the write itself will fail but the attempt will fail first if
access is not permitted, so we can distinguish between the two without
polluting the entry.
2009-07-10 16:41:05 -04:00
Simo Sorce
9fe707a3f2 Basic changes to get a default principal for DNS
Also moves delagation layout installation in dsinstance.
This is needed to allow us to set default membership in
other modules like bindinstance.

Signed-off-by: Martin Nagy <mnagy@redhat.com>
2009-07-10 09:42:22 -04:00
Rob Crittenden
86472a94ee Fix quoting to work with new csv handler in ldapupdate 2009-05-19 11:50:39 -06:00
Rob Crittenden
4376ad0b10 Add taskgroup and ACI for writing host principal keys (so ipa-getkeytab works) 2009-05-19 09:52:21 -04:00
Rob Crittenden
0c63ed3f5e Fill in the ACIs and taskgroups for most of the plugins.
This adds:
group administration
host administration
host group administration
delegation administration
service administration
automount administration
netgroup administration
2009-04-01 10:33:43 -04:00
Rob Crittenden
c00281a9f9 Name update files so they can be easily sorted.
We want to process some updates in a particular order (schema, structural).
Using an init-inspired ordering mechanism.
2009-03-25 11:03:07 -04:00