IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity
bd619adb5c
freeipa/ipalib/plugins
History
Rob Crittenden bd619adb5c Use a new mechanism for delegating certificate issuance. 
Using the client IP address was a rather poor mechanism for controlling
who could request certificates for whom. Instead the client machine will
bind using the host service principal and request the certificate.

In order to do this:
* the service will need to exist
* the machine needs to be in the certadmin rolegroup
* the host needs to be in the managedBy attribute of the service

It might look something like:

admin

ipa host-add client.example.com --password=secret123
ipa service-add HTTP/client.example.com
ipa service-add-host --hosts=client.example.com HTTP/client.example.com
ipa rolegroup-add-member --hosts=client.example.com certadmin

client

ipa-client-install
ipa-join -w secret123
kinit -kt /etc/krb5.keytab host/client.example.com
ipa -d cert-request file://web.csr --principal=HTTP/client.example.com
2009-11-03 09:04:05 -07:00
..
__init__.py Renamed f_misc.py plugin module to misc.py 2009-02-03 15:29:00 -05:00
aci.py Fix aci plugin, enhance aci parsing capabilities, add user group support 2009-09-28 22:27:42 -06:00
automount.py Automatically generate an auto.master map for new automount location. 2009-09-10 10:06:27 -04:00
baseldap.py Add mod_python adapter and some UI tuning 2009-10-27 21:38:13 -06:00
cert.py Use a new mechanism for delegating certificate issuance. 2009-11-03 09:04:05 -07:00
config.py Make the config plugin use baseldap classes. 2009-10-05 15:58:40 -04:00
delegation.py Rename *-create/*-delete commands to *-add/*-del respectively. 2009-07-02 13:33:02 -04:00
dns.py Fix bug in dns_find - execute() returned different value than expected. 2009-09-08 13:39:06 -04:00
group.py Display membership attributes (member, memberOf) by default in show/find. 2009-10-21 10:35:03 -04:00
hbac.py Fix bug in HBAC and netgroup plugin get_primary_key_from_dn methods. 2009-10-08 10:11:29 -04:00
host.py Make the host plugin use baseldap classes. 2009-09-28 15:00:27 -06:00
hostgroup.py Make the hostgroup plugin use baseldap classes. 2009-10-05 16:02:02 -04:00
kerberos.py Giant webui patch take 2 2009-10-13 11:28:00 -06:00
misc.py Giant webui patch take 2 2009-10-13 11:28:00 -06:00
netgroup.py Display membership attributes (member, memberOf) by default in show/find. 2009-10-21 10:35:03 -04:00
passwd.py Fix bug in basegroup and passwd plugins (incorrect use of find_entry_by_attr). 2009-07-02 13:33:02 -04:00
pwpolicy.py Add support for per-group kerberos password policy. 2009-10-05 13:29:55 -06:00
rolegroup.py Use a new mechanism for delegating certificate issuance. 2009-11-03 09:04:05 -07:00
service.py Use a new mechanism for delegating certificate issuance. 2009-11-03 09:04:05 -07:00
taskgroup.py Display membership attributes (member, memberOf) by default in show/find. 2009-10-21 10:35:03 -04:00
user.py Giant webui patch take 2 2009-10-13 11:28:00 -06:00
virtual.py First pass at enforcing certificates be requested from same host 2009-10-21 03:22:44 -06:00
xmlclient.py Sundry work getting ready to switch to new XML-RPC client/server code 2009-02-03 15:29:00 -05:00