freeipa-issuer icon indicating copy to clipboard operation
freeipa-issuer copied to clipboard

Published 20 hours ago verified publisher icon guilhem

freeipa-auth in samples

Open mossholderm opened this issue 3 years ago • 2 comments

In samples/secret.yaml , should I be replacing the "b64value" for user and password with the base64 encoded version of a FreeIPA user who has permissions to generate certificates? Do they need a specific set of permissions in FreeIPA?

mossholderm avatar Apr 02 '21 05:04 mossholderm

@mossholderm yes it's the freeipa user/password base64 encoded. For freeipa minimal rights I have to check. I will come back to you :)

guilhem avatar Apr 06 '21 12:04 guilhem

For the permissions, I have found a set of permissions, which allows creation of services and issuing of certificates. However I am not sure, whether it is truly minimal and how it behaves with renewing certificates. The permissions are:

  • Request Certificate
  • Retrieve Certificates from the CA
  • Get Certificates status from the CA
  • System: Add Services
  • Service write userCertificate

Service write userCertificate is a custom permissions, which allows writing to the userCertificate attribute of a service object. Also for this addHost must be set to false see #7 for an issue with this.

StefanAbl avatar Apr 15 '21 08:04 StefanAbl