We have a need where we want to allow a user to submit their own CSR to generate their own SSL certificate and to be able to download their own certificate.
I get the following error:
Insufficient access: Principal 'testplem@MGMT.EXAMPLE.COM' is not permitted to use CA 'ipa' with profile 'IECUserRoles' for certificate issuance.
Here are the permissions I have setup.
* Create a new Privilege called SelfService
* Add the following permissions to the SelfService Privilege * Request Certificate (FreeIPA builtin permission) * Retrieve Certificates from the CA (FreeIPA builtin permission) * UserSelfSerivceCertificate (custom permission) * ReadCAProfile (custom permission) * ReadIPACA (custom permission)
* Create Role called SelfService * Attach the SelfService Privilege to this Role
* I then attach that Role to a test user.
I am sure I am missing other permissions but I am not sure what. If there is already documentation that explains how to do this I am happy to reference that. If not, what else am I missing.
============
dn: cn=UserSelfSerivceCertificate,cn=permissions,cn=pbac,dc=mgmt,dc=example,dc=com member: cn=SelfService,cn=privileges,cn=pbac,dc=mgmt,dc=example,dc=com ipaPermRight: read ipaPermRight: search ipaPermRight: compare ipaPermRight: write ipaPermRight: add ipaPermTargetFilter: (objectclass=posixaccount) ipaPermBindRuleType: permission ipaPermissionType: SYSTEM ipaPermissionType: V2 cn: UserSelfSerivceCertificate objectClass: top objectClass: groupofnames objectClass: ipapermission objectClass: ipapermissionv2 ipaPermLocation: cn=users,cn=accounts,dc=mgmt,dc=example,dc=com ipaPermIncludedAttr: usercertificate
============ dn: cn=ReadCAProfile,cn=permissions,cn=pbac,dc=mgmt,dc=example,dc=com member: cn=SelfService,cn=privileges,cn=pbac,dc=mgmt,dc=example,dc=com ipaPermBindRuleType: permission ipaPermTarget: cn=IECUserRoles,cn=certprofiles,cn=ca,dc=mgmt,dc=example,dc=co m ipaPermRight: read ipaPermRight: search ipaPermTargetFilter: (objectclass=ipacertprofile) ipaPermissionType: SYSTEM ipaPermissionType: V2 cn: ReadCAProfile objectClass: top objectClass: groupofnames objectClass: ipapermission objectClass: ipapermissionv2 ipaPermLocation: cn=certprofiles,cn=ca,dc=mgmt,dc=example,dc=com ipaPermIncludedAttr: cn ipaPermIncludedAttr: description ipaPermIncludedAttr: ipacertprofilestoreissued ipaPermIncludedAttr: objectclass
============
dn: cn=ReadIPACA,cn=permissions,cn=pbac,dc=mgmt,dc=example,dc=com member: cn=SelfService,cn=privileges,cn=pbac,dc=mgmt,dc=example,dc=com ipaPermTarget: cn=ipa,cn=cas,cn=ca,dc=mgmt,dc=example,dc=com ipaPermRight: read ipaPermRight: search ipaPermRight: compare ipaPermTargetFilter: (objectclass=ipaca) ipaPermBindRuleType: permission ipaPermissionType: SYSTEM ipaPermissionType: V2 cn: ReadIPACA objectClass: top objectClass: groupofnames objectClass: ipapermission objectClass: ipapermissionv2 ipaPermLocation: cn=cas,cn=ca,dc=mgmt,dc=example,dc=com ipaPermIncludedAttr: cn ipaPermIncludedAttr: description ipaPermIncludedAttr: ipacaid ipaPermIncludedAttr: ipacaissuerdn ipaPermIncludedAttr: ipacasubjectdn ipaPermIncludedAttr: objectclass
Thank you for any insight you are able to provide.
On 12/24/19 2:53 PM, Michael Plemmons via FreeIPA-users wrote:
We have a need where we want to allow a user to submit their own CSR to generate their own SSL certificate and to be able to download their own certificate.
I get the following error:
Insufficient access: Principal 'testplem@MGMT.EXAMPLE.COM mailto:testplem@MGMT.EXAMPLE.COM' is not permitted to use CA 'ipa' with profile 'IECUserRoles' for certificate issuance.
Hi,
please have a look in the documentation at the chapter related to Certificate Autority ACL rules: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm...
CA ACLs define which certificate profile can be used to issue certificates to which users/services/hosts.
HTH, flo
Here are the permissions I have setup.
Create a new Privilege called SelfService
Add the following permissions to the SelfService Privilege
* Request Certificate (FreeIPA builtin permission) * Retrieve Certificates from the CA (FreeIPA builtin permission) * UserSelfSerivceCertificate (custom permission) * ReadCAProfile (custom permission) * ReadIPACA (custom permission)
- Create Role called SelfService
* Attach the SelfService Privilege to this Role
- I then attach that Role to a test user.
I am sure I am missing other permissions but I am not sure what. If there is already documentation that explains how to do this I am happy to reference that. If not, what else am I missing.
============
dn: cn=UserSelfSerivceCertificate,cn=permissions,cn=pbac,dc=mgmt,dc=example,dc=com member: cn=SelfService,cn=privileges,cn=pbac,dc=mgmt,dc=example,dc=com ipaPermRight: read ipaPermRight: search ipaPermRight: compare ipaPermRight: write ipaPermRight: add ipaPermTargetFilter: (objectclass=posixaccount) ipaPermBindRuleType: permission ipaPermissionType: SYSTEM ipaPermissionType: V2 cn: UserSelfSerivceCertificate objectClass: top objectClass: groupofnames objectClass: ipapermission objectClass: ipapermissionv2 ipaPermLocation: cn=users,cn=accounts,dc=mgmt,dc=example,dc=com ipaPermIncludedAttr: usercertificate
============ dn: cn=ReadCAProfile,cn=permissions,cn=pbac,dc=mgmt,dc=example,dc=com member: cn=SelfService,cn=privileges,cn=pbac,dc=mgmt,dc=example,dc=com ipaPermBindRuleType: permission ipaPermTarget: cn=IECUserRoles,cn=certprofiles,cn=ca,dc=mgmt,dc=example,dc=co m ipaPermRight: read ipaPermRight: search ipaPermTargetFilter: (objectclass=ipacertprofile) ipaPermissionType: SYSTEM ipaPermissionType: V2 cn: ReadCAProfile objectClass: top objectClass: groupofnames objectClass: ipapermission objectClass: ipapermissionv2 ipaPermLocation: cn=certprofiles,cn=ca,dc=mgmt,dc=example,dc=com ipaPermIncludedAttr: cn ipaPermIncludedAttr: description ipaPermIncludedAttr: ipacertprofilestoreissued ipaPermIncludedAttr: objectclass
============
dn: cn=ReadIPACA,cn=permissions,cn=pbac,dc=mgmt,dc=example,dc=com member: cn=SelfService,cn=privileges,cn=pbac,dc=mgmt,dc=example,dc=com ipaPermTarget: cn=ipa,cn=cas,cn=ca,dc=mgmt,dc=example,dc=com ipaPermRight: read ipaPermRight: search ipaPermRight: compare ipaPermTargetFilter: (objectclass=ipaca) ipaPermBindRuleType: permission ipaPermissionType: SYSTEM ipaPermissionType: V2 cn: ReadIPACA objectClass: top objectClass: groupofnames objectClass: ipapermission objectClass: ipapermissionv2 ipaPermLocation: cn=cas,cn=ca,dc=mgmt,dc=example,dc=com ipaPermIncludedAttr: cn ipaPermIncludedAttr: description ipaPermIncludedAttr: ipacaid ipaPermIncludedAttr: ipacaissuerdn ipaPermIncludedAttr: ipacasubjectdn ipaPermIncludedAttr: objectclass
Thank you for any insight you are able to provide.
-- *Mike Plemmons * Senior Infrastructure Engineer 614-427-2411
https://oliveai.com/ 99 E. Main Street Columbus, OH 43215 oliveai.com http://oliveai.com/ Meet Olive, Your Newest Employee https://youtu.be/9Vf84z9KA6Y
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Flo,
Thank you for the help. That is exactly what I needed. I was able to successfully setup an ACL.
On Fri, Dec 27, 2019 at 12:22 PM Florence Blanc-Renaud flo@redhat.com wrote:
On 12/24/19 2:53 PM, Michael Plemmons via FreeIPA-users wrote:
We have a need where we want to allow a user to submit their own CSR to generate their own SSL certificate and to be able to download their own certificate.
I get the following error:
Insufficient access: Principal 'testplem@MGMT.EXAMPLE.COM mailto:testplem@MGMT.EXAMPLE.COM' is not permitted to use CA 'ipa' with profile 'IECUserRoles' for certificate issuance.
Hi,
please have a look in the documentation at the chapter related to Certificate Autority ACL rules:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/htm...
CA ACLs define which certificate profile can be used to issue certificates to which users/services/hosts.
HTH, flo
Here are the permissions I have setup.
Create a new Privilege called SelfService
Add the following permissions to the SelfService Privilege
- Request Certificate (FreeIPA builtin permission)
- Retrieve Certificates from the CA (FreeIPA builtin permission)
- UserSelfSerivceCertificate (custom permission)
- ReadCAProfile (custom permission)
- ReadIPACA (custom permission)
Create Role called SelfService
- Attach the SelfService Privilege to this Role
I then attach that Role to a test user.
I am sure I am missing other permissions but I am not sure what. If there is already documentation that explains how to do this I am happy to reference that. If not, what else am I missing.
============
dn:
cn=UserSelfSerivceCertificate,cn=permissions,cn=pbac,dc=mgmt,dc=example,dc=com
member: cn=SelfService,cn=privileges,cn=pbac,dc=mgmt,dc=example,dc=com ipaPermRight: read ipaPermRight: search ipaPermRight: compare ipaPermRight: write ipaPermRight: add ipaPermTargetFilter: (objectclass=posixaccount) ipaPermBindRuleType: permission ipaPermissionType: SYSTEM ipaPermissionType: V2 cn: UserSelfSerivceCertificate objectClass: top objectClass: groupofnames objectClass: ipapermission objectClass: ipapermissionv2 ipaPermLocation: cn=users,cn=accounts,dc=mgmt,dc=example,dc=com ipaPermIncludedAttr: usercertificate
============ dn: cn=ReadCAProfile,cn=permissions,cn=pbac,dc=mgmt,dc=example,dc=com member: cn=SelfService,cn=privileges,cn=pbac,dc=mgmt,dc=example,dc=com ipaPermBindRuleType: permission ipaPermTarget: cn=IECUserRoles,cn=certprofiles,cn=ca,dc=mgmt,dc=example,dc=co m ipaPermRight: read ipaPermRight: search ipaPermTargetFilter: (objectclass=ipacertprofile) ipaPermissionType: SYSTEM ipaPermissionType: V2 cn: ReadCAProfile objectClass: top objectClass: groupofnames objectClass: ipapermission objectClass: ipapermissionv2 ipaPermLocation: cn=certprofiles,cn=ca,dc=mgmt,dc=example,dc=com ipaPermIncludedAttr: cn ipaPermIncludedAttr: description ipaPermIncludedAttr: ipacertprofilestoreissued ipaPermIncludedAttr: objectclass
============
dn: cn=ReadIPACA,cn=permissions,cn=pbac,dc=mgmt,dc=example,dc=com member: cn=SelfService,cn=privileges,cn=pbac,dc=mgmt,dc=example,dc=com ipaPermTarget: cn=ipa,cn=cas,cn=ca,dc=mgmt,dc=example,dc=com ipaPermRight: read ipaPermRight: search ipaPermRight: compare ipaPermTargetFilter: (objectclass=ipaca) ipaPermBindRuleType: permission ipaPermissionType: SYSTEM ipaPermissionType: V2 cn: ReadIPACA objectClass: top objectClass: groupofnames objectClass: ipapermission objectClass: ipapermissionv2 ipaPermLocation: cn=cas,cn=ca,dc=mgmt,dc=example,dc=com ipaPermIncludedAttr: cn ipaPermIncludedAttr: description ipaPermIncludedAttr: ipacaid ipaPermIncludedAttr: ipacaissuerdn ipaPermIncludedAttr: ipacasubjectdn ipaPermIncludedAttr: objectclass
Thank you for any insight you are able to provide.
-- *Mike Plemmons * Senior Infrastructure Engineer 614-427-2411
https://oliveai.com/ 99 E. Main Street Columbus, OH 43215 oliveai.com http://oliveai.com/ Meet Olive, Your Newest Employee https://youtu.be/9Vf84z9KA6Y
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
freeipa-users@lists.fedorahosted.org