IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2024-12-31 19:26:57 -06:00
Code Issues Packages Projects Releases Wiki Activity
bd619adb5c
freeipa/ipalib
History
Rob Crittenden bd619adb5c Use a new mechanism for delegating certificate issuance. 
Using the client IP address was a rather poor mechanism for controlling
who could request certificates for whom. Instead the client machine will
bind using the host service principal and request the certificate.

In order to do this:
* the service will need to exist
* the machine needs to be in the certadmin rolegroup
* the host needs to be in the managedBy attribute of the service

It might look something like:

admin

ipa host-add client.example.com --password=secret123
ipa service-add HTTP/client.example.com
ipa service-add-host --hosts=client.example.com HTTP/client.example.com
ipa rolegroup-add-member --hosts=client.example.com certadmin

client

ipa-client-install
ipa-join -w secret123
kinit -kt /etc/krb5.keytab host/client.example.com
ipa -d cert-request file://web.csr --principal=HTTP/client.example.com
2009-11-03 09:04:05 -07:00
..
plugins Use a new mechanism for delegating certificate issuance. 2009-11-03 09:04:05 -07:00
__init__.py Removed util.add_global_options() and frontend.Application 2009-10-14 15:07:17 -06:00
aci.py Fix aci plugin, enhance aci parsing capabilities, add user group support 2009-09-28 22:27:42 -06:00
backend.py First pass at enforcing certificates be requested from same host 2009-10-21 03:22:44 -06:00
base.py Removed PluginProxy and all its uses 2009-08-05 12:18:51 -04:00
cli.py Fix bug in print_attribute. 2009-10-23 09:37:23 -04:00
compat.py Fixed 'import json' for simplejson compatability 2009-10-16 12:38:22 -06:00
config.py Use the FQDN and not just the hostname internally. 2009-10-16 14:57:33 -04:00
constants.py Giant webui patch take 2 2009-10-13 11:28:00 -06:00
crud.py Make primary_key optional. 2009-10-05 13:28:24 -06:00
encoder.py Prevent double encoding/decoding when processing compound types. 2009-08-03 23:00:17 -06:00
errors.py Change Password param so (password, confirm_password) can be passed to _convert_scalar() 2009-10-18 00:35:05 -06:00
frontend.py Removed util.add_global_options() and frontend.Application 2009-10-14 15:07:17 -06:00
ipauuid.py Fix Python 2.6 deprecation warning with the md5 import. Use hashlib instead. 2009-09-28 15:30:22 -06:00
parameters.py Change Password param so (password, confirm_password) can be passed to _convert_scalar() 2009-10-18 00:35:05 -06:00
plugable.py Make plugin browser show plugin parent class 2009-10-14 15:08:30 -06:00
request.py Ported xmlclient to subclass from Connectible 2009-02-03 15:29:03 -05:00
rpc.py Explicitly set verbosity off in the XML-RPC client 2009-09-14 09:46:42 -04:00
util.py Removed util.add_global_options() and frontend.Application 2009-10-14 15:07:17 -06:00