Hi!
This is our currently working setup:
- AD Domain: ourdomain.local (working fine for Windows users' authentication, Domain
Controllers, etc...)
- IPA Domain: idm.ourdomain.local (Trust relation successfully setup with the Domain
Controllers)
- AD users can login to the IPA Server with their AD credentials.
Goal: Allow AD users to add and manage their own certificates for different services (VPN
access and the like). The workflow would be something like:
1. Users adds a new CSR. (The user creates his key and generates the CSR locally)
2. IPA admins approve and issue the certificate.
3. The user downloads the certificate.
"Local" IPA users can add certificate requests in their profile by clicking on
Actions > New Certificate.
AD users are only allowed to edit their profile description, GECOS, Login shell, add SSH
public keys and add Certificates in PEM format, not add Certificate Requests.
We have tried a few things already:
- Certificate Mappings. They are designed for user authentication to idm.ourdomain.local,
no go.
- From the docs
https://www.freeipa.org/page/Active_Directory_trust_setup: Allow access
for users from AD domain to protected resources: Which "protected resource"
allows for users' certificates?
- From RH docs: CHAPTER 73. ENABLING AD USERS TO ADMINISTER IDM: AD users can administer
IDM, but they cannot add a new Certificate Signing Request to their own profile.
Any ideas?
Sorry for the length of the post... TIA
Pedro.