Flo,
Thank you for the help. That is exactly what I needed. I was able to
successfully setup an ACL.
On Fri, Dec 27, 2019 at 12:22 PM Florence Blanc-Renaud <flo(a)redhat.com>
wrote:
On 12/24/19 2:53 PM, Michael Plemmons via FreeIPA-users wrote:
> We have a need where we want to allow a user to submit their own CSR to
> generate their own SSL certificate and to be able to download their own
> certificate.
>
> I get the following error:
>
> Insufficient access: Principal 'testplem(a)MGMT.EXAMPLE.COM
> <mailto:testplem@MGMT.EXAMPLE.COM>' is not permitted to use CA
'ipa'
> with profile 'IECUserRoles' for certificate issuance.
>
Hi,
please have a look in the documentation at the chapter related to
Certificate Autority ACL rules:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/...
CA ACLs define which certificate profile can be used to issue
certificates to which users/services/hosts.
HTH,
flo
> Here are the permissions I have setup.
>
> * Create a new Privilege called SelfService
>
> * Add the following permissions to the SelfService Privilege
> * Request Certificate (FreeIPA builtin permission)
> * Retrieve Certificates from the CA (FreeIPA builtin permission)
> * UserSelfSerivceCertificate (custom permission)
> * ReadCAProfile (custom permission)
> * ReadIPACA (custom permission)
>
> * Create Role called SelfService
> * Attach the SelfService Privilege to this Role
>
> * I then attach that Role to a test user.
>
> I am sure I am missing other permissions but I am not sure what. If
> there is already documentation that explains how to do this I am happy
> to reference that. If not, what else am I missing.
>
> ============
>
> dn:
>
cn=UserSelfSerivceCertificate,cn=permissions,cn=pbac,dc=mgmt,dc=example,dc=com
> member: cn=SelfService,cn=privileges,cn=pbac,dc=mgmt,dc=example,dc=com
> ipaPermRight: read
> ipaPermRight: search
> ipaPermRight: compare
> ipaPermRight: write
> ipaPermRight: add
> ipaPermTargetFilter: (objectclass=posixaccount)
> ipaPermBindRuleType: permission
> ipaPermissionType: SYSTEM
> ipaPermissionType: V2
> cn: UserSelfSerivceCertificate
> objectClass: top
> objectClass: groupofnames
> objectClass: ipapermission
> objectClass: ipapermissionv2
> ipaPermLocation: cn=users,cn=accounts,dc=mgmt,dc=example,dc=com
> ipaPermIncludedAttr: usercertificate
>
> ============
> dn: cn=ReadCAProfile,cn=permissions,cn=pbac,dc=mgmt,dc=example,dc=com
> member: cn=SelfService,cn=privileges,cn=pbac,dc=mgmt,dc=example,dc=com
> ipaPermBindRuleType: permission
> ipaPermTarget:
> cn=IECUserRoles,cn=certprofiles,cn=ca,dc=mgmt,dc=example,dc=co
> m
> ipaPermRight: read
> ipaPermRight: search
> ipaPermTargetFilter: (objectclass=ipacertprofile)
> ipaPermissionType: SYSTEM
> ipaPermissionType: V2
> cn: ReadCAProfile
> objectClass: top
> objectClass: groupofnames
> objectClass: ipapermission
> objectClass: ipapermissionv2
> ipaPermLocation: cn=certprofiles,cn=ca,dc=mgmt,dc=example,dc=com
> ipaPermIncludedAttr: cn
> ipaPermIncludedAttr: description
> ipaPermIncludedAttr: ipacertprofilestoreissued
> ipaPermIncludedAttr: objectclass
>
> ============
>
> dn: cn=ReadIPACA,cn=permissions,cn=pbac,dc=mgmt,dc=example,dc=com
> member: cn=SelfService,cn=privileges,cn=pbac,dc=mgmt,dc=example,dc=com
> ipaPermTarget: cn=ipa,cn=cas,cn=ca,dc=mgmt,dc=example,dc=com
> ipaPermRight: read
> ipaPermRight: search
> ipaPermRight: compare
> ipaPermTargetFilter: (objectclass=ipaca)
> ipaPermBindRuleType: permission
> ipaPermissionType: SYSTEM
> ipaPermissionType: V2
> cn: ReadIPACA
> objectClass: top
> objectClass: groupofnames
> objectClass: ipapermission
> objectClass: ipapermissionv2
> ipaPermLocation: cn=cas,cn=ca,dc=mgmt,dc=example,dc=com
> ipaPermIncludedAttr: cn
> ipaPermIncludedAttr: description
> ipaPermIncludedAttr: ipacaid
> ipaPermIncludedAttr: ipacaissuerdn
> ipaPermIncludedAttr: ipacasubjectdn
> ipaPermIncludedAttr: objectclass
>
>
> Thank you for any insight you are able to provide.
>
> --
> *Mike Plemmons *
> Senior Infrastructure Engineer
> 614-427-2411
>
>
> <
https://oliveai.com/>
> 99 E. Main Street
> Columbus, OH 43215
>
oliveai.com <
http://oliveai.com/>
> Meet Olive, Your Newest Employee <
https://youtu.be/9Vf84z9KA6Y>
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>
99 E. Main Street
Columbus, OH 43215