Thanks for the really in depth replies, Alexander & Robert!
On Fri, May 13, 2022 at 09:27:34PM +0300, Alexander Bokovoy wrote:
On pe, 13 touko 2022, Sam Morris via FreeIPA-users wrote:
> I'm looking into using <
https://github.com/guilhem/freeipa-issuer> to
> request certificates from FreeIPA on behalf of a (FreeIPA) service.
>
> The project authenticates to the FreeIPA API with a specified username
> and password:
>
<
https://github.com/guilhem/freeipa-issuer/blob/174d145616a672b09d3fdb56b2...
>
> I presume this means that it's only possible for it to authenticate to
> the FreeIPA API as a user, as opposed to a host or service.
Not correct. You can authenticate with any Kerberos principal. Your
rights would be limited to what that object is allowed to do and this
can be adjusted with permissions/privileges/roles:
https://vda.li/en/posts/2016/08/30/Creating-permissions-in-FreeIPA/
Ah, right. I didn't explain what I meant very well. Sorry about that.
What I meant is freeipa-issuer is only able to authenticate to the
FreeIPA API using a username & password. And I thought at the time that
that means that freeipa-issuer can only authenticate as a user and not a
host or a service.
Since then I've done a bit more experimentation and have come up with
this procedure:
$ ipa host-add authtest.example.qq --random
<the host how exists, but it doesn't have a Kerberos principal
associated with it yet; therefore the password can't be used to
obtain a Kerberos TGT, so it can't be used with the FreeIPA API>
$ ipa service-add HTTP/authtest.example.qq
$ ipa-join -h authtest.example.qq -w <one-time-password> -k /tmp/authtext.keytab
-b dc=example,dc=qq
<the host now has a Kerberos principal associated with it, but with
a randomly generated key instead of one derived from a password>
$ openssl rand -base64 $((128/8))
<generate a password with 128 bits of entropy>
$ ldappasswd -H ldaps://ipa0.example.qq -Y GSSAPI
fqdn=authtest.example.qq,cn=computers,cn=accounts,dc=example,dc=qq -s <new
password>
<set the host's password to the new password>
$ http -f
https://ipa0.example.qq/ipa/session/login_password
user=host/authtest.example.qq 'password=<new password>'
<log in to the FreeIPA API as the host, using the new password>
This gets me a 200 OK response, so it looks like we're good to go! Next
steps will be to configure freeipa-issuer with these credentials and see
if it's able to request a certificate for HTTP/authtest.example.qq.
Of course it would definitely be better if freeipa-issuer was able to
use Kerberos to authenticate to the FreeIPA API. Maybe I'll give that a
go too...
--
Sam Morris <
https://robots.org.uk/>
CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9