Rob Crittenden bd619adb5c Use a new mechanism for delegating certificate issuance. ... Using the client IP address was a rather poor mechanism for controlling who could request certificates for whom. Instead the client machine will bind using the host service principal and request the certificate. In order to do this: * the service will need to exist * the machine needs to be in the certadmin rolegroup * the host needs to be in the managedBy attribute of the service It might look something like: admin ipa host-add client.example.com --password=secret123 ipa service-add HTTP/client.example.com ipa service-add-host --hosts=client.example.com HTTP/client.example.com ipa rolegroup-add-member --hosts=client.example.com certadmin client ipa-client-install ipa-join -w secret123 kinit -kt /etc/krb5.keytab host/client.example.com ipa -d cert-request file://web.csr --principal=HTTP/client.example.com		2009-11-03 09:04:05 -07:00
..
__init__.py	Remove deprecated comment on plugin naming conventions	2009-09-14 09:46:35 -04:00
dogtag.py	Only initialize the API once in the installer	2009-09-28 22:17:01 -06:00
join.py	Remove a bunch of unused imports, general cleanup	2009-10-25 22:54:55 -06:00
ldap2.py	Use a new mechanism for delegating certificate issuance.	2009-11-03 09:04:05 -07:00
ldapapi.py	Fix password setting on python 2.4 systems (it doesn't like None for oldpw)	2009-05-21 22:43:10 -04:00
rabase.py	Add external CA signing and abstract out the RA backend	2009-09-15 10:01:08 -04:00
selfsign.py	Use the same variable name in the response as the dogtag plugin	2009-09-24 17:42:26 -04:00
xmlserver.py	Add mod_python adapter and some UI tuning	2009-10-27 21:38:13 -06:00