Rob Crittenden bd619adb5c Use a new mechanism for delegating certificate issuance. ... Using the client IP address was a rather poor mechanism for controlling who could request certificates for whom. Instead the client machine will bind using the host service principal and request the certificate. In order to do this: * the service will need to exist * the machine needs to be in the certadmin rolegroup * the host needs to be in the managedBy attribute of the service It might look something like: admin ipa host-add client.example.com --password=secret123 ipa service-add HTTP/client.example.com ipa service-add-host --hosts=client.example.com HTTP/client.example.com ipa rolegroup-add-member --hosts=client.example.com certadmin client ipa-client-install ipa-join -w secret123 kinit -kt /etc/krb5.keytab host/client.example.com ipa -d cert-request file://web.csr --principal=HTTP/client.example.com		2009-11-03 09:04:05 -07:00
..
install	Add a sleep() prior to calling tasks to ensure postop writes are done	2009-10-16 14:57:53 -04:00
plugins	Use a new mechanism for delegating certificate issuance.	2009-11-03 09:04:05 -07:00
__init__.py	Add mod_python adapter and some UI tuning	2009-10-27 21:38:13 -06:00
conn.py	Renamed ipa_server/ to ipaserver/ and tests/test_ipa_server/ to tests/test_ipaserver	2009-01-04 18:44:16 -07:00
ipaldap.py	Don't pass non-existent arguments to _handle_errors()	2009-05-19 09:48:35 -04:00
ipautil.py	Clean up some problems discovered with pylint and pychecker	2009-08-12 13:18:15 -04:00
rpcserver.py	Add mod_python adapter and some UI tuning	2009-10-27 21:38:13 -06:00
servercore.py	Clean up some problems discovered with pylint and pychecker	2009-08-12 13:18:15 -04:00