freeipa/install/share
Rob Crittenden bd619adb5c Use a new mechanism for delegating certificate issuance.
Using the client IP address was a rather poor mechanism for controlling
who could request certificates for whom. Instead the client machine will
bind using the host service principal and request the certificate.

In order to do this:
* the service will need to exist
* the machine needs to be in the certadmin rolegroup
* the host needs to be in the managedBy attribute of the service

It might look something like:

admin

ipa host-add client.example.com --password=secret123
ipa service-add HTTP/client.example.com
ipa service-add-host --hosts=client.example.com HTTP/client.example.com
ipa rolegroup-add-member --hosts=client.example.com certadmin

client

ipa-client-install
ipa-join -w secret123
kinit -kt /etc/krb5.keytab host/client.example.com
ipa -d cert-request file://web.csr --principal=HTTP/client.example.com
2009-11-03 09:04:05 -07:00
..
05rfc2247.ldif Incorporate new schema for IPAv2 2009-02-11 17:13:41 -05:00
60basev2.ldif Use a new mechanism for delegating certificate issuance. 2009-11-03 09:04:05 -07:00
60ipaconfig.ldif Include schema for key escrow management 2009-08-10 16:38:18 -06:00
60kerberos.ldif Mass tree reorganization for IPAv2. To view previous history of files use: 2009-02-03 15:27:14 -05:00
60policyv2.ldif Install policy schema 2009-02-13 13:04:49 -05:00
60radius.ldif Mass tree reorganization for IPAv2. To view previous history of files use: 2009-02-03 15:27:14 -05:00
60samba.ldif Mass tree reorganization for IPAv2. To view previous history of files use: 2009-02-03 15:27:14 -05:00
anonymous-vlv.ldif Let anonymous users browse the VLV index 2009-07-10 16:45:45 -04:00
bind.named.conf.template Use DNS forwarders in /etc/named.conf 2009-09-02 19:09:28 +02:00
bind.zone.db.template Use root.$HOST.$DOMAIN. instead of root.$DOMAIN. 2009-06-02 12:32:06 +02:00
bootstrap-template.ldif Add HBAC plugin and introduce GeneralizedTime parameter type. 2009-10-05 15:55:27 -04:00
caJarSigningCert.cfg.template Add signing profile to CA installation so we can sign the firefox jar file. 2009-05-04 16:54:42 -04:00
certmap.conf.template Mass tree reorganization for IPAv2. To view previous history of files use: 2009-02-03 15:27:14 -05:00
default-aci.ldif Use a new mechanism for delegating certificate issuance. 2009-11-03 09:04:05 -07:00
default-keytypes.ldif Mass tree reorganization for IPAv2. To view previous history of files use: 2009-02-03 15:27:14 -05:00
delegation.ldif Basic changes to get a default principal for DNS 2009-07-10 09:42:22 -04:00
dna-posix.ldif Ensure that dnaMaxValue is higher than dnaNextValue at install time 2009-09-09 22:05:24 -04:00
dns_reverse.ldif Add a reverse zone with server's PTR record 2009-07-22 18:02:22 +02:00
dns.ldif Add a reverse zone with server's PTR record 2009-07-22 18:02:22 +02:00
encrypted_attribute.ldif Mass tree reorganization for IPAv2. To view previous history of files use: 2009-02-03 15:27:14 -05:00
fedora-ds.init.patch Mass tree reorganization for IPAv2. To view previous history of files use: 2009-02-03 15:27:14 -05:00
indices.ldif Mass tree reorganization for IPAv2. To view previous history of files use: 2009-02-03 15:27:14 -05:00
kdc.conf.template Mass tree reorganization for IPAv2. To view previous history of files use: 2009-02-03 15:27:14 -05:00
kerberos.ldif Mass tree reorganization for IPAv2. To view previous history of files use: 2009-02-03 15:27:14 -05:00
krb5.conf.template Mass tree reorganization for IPAv2. To view previous history of files use: 2009-02-03 15:27:14 -05:00
krb5.ini.template Mass tree reorganization for IPAv2. To view previous history of files use: 2009-02-03 15:27:14 -05:00
krb.con.template Mass tree reorganization for IPAv2. To view previous history of files use: 2009-02-03 15:27:14 -05:00
krbrealm.con.template Mass tree reorganization for IPAv2. To view previous history of files use: 2009-02-03 15:27:14 -05:00
ldapi.ldif Enable ldapi connections in the management framework. 2009-08-27 13:36:58 -04:00
Makefile.am No longer use the IPA-specific memberof plugin. Use the DS-supplied one. 2009-10-12 09:37:38 -04:00
master-entry.ldif Mass tree reorganization for IPAv2. To view previous history of files use: 2009-02-03 15:27:14 -05:00
memberof-conf.ldif No longer use the IPA-specific memberof plugin. Use the DS-supplied one. 2009-10-12 09:37:38 -04:00
memberof-task.ldif Mass tree reorganization for IPAv2. To view previous history of files use: 2009-02-03 15:27:14 -05:00
nis.uldif Add schema-compat translation from our netgroup schema to nisNetgroup triples 2009-05-19 09:53:40 -04:00
ntp.conf.server.template Mass tree reorganization for IPAv2. To view previous history of files use: 2009-02-03 15:27:14 -05:00
ntpd.sysconfig.template Mass tree reorganization for IPAv2. To view previous history of files use: 2009-02-03 15:27:14 -05:00
preferences.html.template Mass tree reorganization for IPAv2. To view previous history of files use: 2009-02-03 15:27:14 -05:00
referint-conf.ldif Mass tree reorganization for IPAv2. To view previous history of files use: 2009-02-03 15:27:14 -05:00
schema_compat.uldif Mass tree reorganization for IPAv2. To view previous history of files use: 2009-02-03 15:27:14 -05:00
unique-attributes.ldif Enforce netgroup uniqueness, allow netgroups to be members of netgroups 2009-02-27 12:57:21 -05:00