|
|
403b09 |
From 39fdccd9216c7a58ba48ed2226a5588a4f19da51 Mon Sep 17 00:00:00 2001
|
|
|
403b09 |
From: Fraser Tweedale <ftweedal@redhat.com>
|
|
|
403b09 |
Date: Tue, 12 Jul 2016 15:11:11 +1000
|
|
|
403b09 |
Subject: [PATCH] caacl: expand plugin documentation
|
|
|
403b09 |
|
|
|
403b09 |
Expand the 'caacl' plugin documentation to explain some common
|
|
|
403b09 |
confusions including the fact that CA ACLs apply to the target
|
|
|
403b09 |
subject principal (not necessarily the principal requesting the
|
|
|
403b09 |
cert), and the fact that CA-less CA ACL implies the 'ipa' CA.
|
|
|
403b09 |
|
|
|
403b09 |
Fixes: https://fedorahosted.org/freeipa/ticket/6002
|
|
|
403b09 |
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
403b09 |
---
|
|
|
403b09 |
ipaserver/plugins/caacl.py | 34 ++++++++++++++++++++++++++++------
|
|
|
403b09 |
1 file changed, 28 insertions(+), 6 deletions(-)
|
|
|
403b09 |
|
|
|
403b09 |
diff --git a/ipaserver/plugins/caacl.py b/ipaserver/plugins/caacl.py
|
|
|
403b09 |
index 3f813a7efb9e554abcb8dd2946eea73065c93414..1461c4814727e5774219ac206bab3d078f2daa7d 100644
|
|
|
403b09 |
--- a/ipaserver/plugins/caacl.py
|
|
|
403b09 |
+++ b/ipaserver/plugins/caacl.py
|
|
|
403b09 |
@@ -23,14 +23,36 @@ if six.PY3:
|
|
|
403b09 |
__doc__ = _("""
|
|
|
403b09 |
Manage CA ACL rules.
|
|
|
403b09 |
|
|
|
403b09 |
-This plugin is used to define rules governing which principals are
|
|
|
403b09 |
-permitted to have certificates issued using a given certificate
|
|
|
403b09 |
-profile.
|
|
|
403b09 |
+This plugin is used to define rules governing which CAs and profiles
|
|
|
403b09 |
+may be used to issue certificates to particular principals or groups
|
|
|
403b09 |
+of principals.
|
|
|
403b09 |
|
|
|
403b09 |
-PROFILE ID SYNTAX:
|
|
|
403b09 |
+SUBJECT PRINCIPAL SCOPE:
|
|
|
403b09 |
|
|
|
403b09 |
-A Profile ID is a string without spaces or punctuation starting with a letter
|
|
|
403b09 |
-and followed by a sequence of letters, digits or underscore ("_").
|
|
|
403b09 |
+For a certificate request to be allowed, the principal(s) that are
|
|
|
403b09 |
+the subject of a certificate request (not necessarily the principal
|
|
|
403b09 |
+actually requesting the certificate) must be included in the scope
|
|
|
403b09 |
+of a CA ACL that also includes the target CA and profile.
|
|
|
403b09 |
+
|
|
|
403b09 |
+Users can be included by name, group or the "all users" category.
|
|
|
403b09 |
+Hosts can be included by name, hostgroup or the "all hosts"
|
|
|
403b09 |
+category. Services can be included by service name or the "all
|
|
|
403b09 |
+services" category. CA ACLs may be associated with a single type of
|
|
|
403b09 |
+principal, or multiple types.
|
|
|
403b09 |
+
|
|
|
403b09 |
+CERTIFICATE AUTHORITY SCOPE:
|
|
|
403b09 |
+
|
|
|
403b09 |
+A CA ACL can be associated with one or more CAs by name, or by the
|
|
|
403b09 |
+"all CAs" category. For compatibility reasons, a CA ACL with no CA
|
|
|
403b09 |
+association implies an association with the 'ipa' CA (and only this
|
|
|
403b09 |
+CA).
|
|
|
403b09 |
+
|
|
|
403b09 |
+PROFILE SCOPE:
|
|
|
403b09 |
+
|
|
|
403b09 |
+A CA ACL can be associated with one or more profiles by Profile ID.
|
|
|
403b09 |
+The Profile ID is a string without spaces or punctuation starting
|
|
|
403b09 |
+with a letter and followed by a sequence of letters, digits or
|
|
|
403b09 |
+underscore ("_").
|
|
|
403b09 |
|
|
|
403b09 |
EXAMPLES:
|
|
|
403b09 |
|
|
|
403b09 |
--
|
|
|
403b09 |
2.4.3
|
|
|
403b09 |
|