Closed pki-bot closed 4 years ago
pki-bot
commented
4 years ago Comment from ftweedal (@frasertweedale) at 2015-05-05 05:41:05
It would be nice to ship support for GSSAPI authentication in Dogtag itself, and the IPA authorization plugin as part of IPA (IMO).
pki-bot
commented
4 years ago Comment from cheimes (@tiran) at 2015-06-26 12:20:26
The feature request is related to 649, maybe even a duplicate of 649. I can't tell for sure because the other ticket has no description, just a title.
pki-bot
commented
4 years ago Comment from bja (@sirwalrus) at 2015-09-25 22:20:28
use-case 1: Use a GSSAPI-authenticated CA profile to issue a certificate via a GUI. The CA profile should support searching LDAP groups for authZ data, such that the $username@EXAMPLE.COM principal would be mapped to a LDAP DN. Membership in a LDAP groupofnames or groupofuniquenames group would authorize access to that specific profile.
$username@EXAMPLE.COM -> maps to uid=$username,ou=users,dc=example,dc=com cn=pki-user,ou=groups,dc=example,dc=com uniqueMember: uid=$username,ou=users,dc=example,dc=com would authorize access to that profile
This would give users self-service access to create certificates, but provide a facility for limiting what kind of certificates could be issued based on group.
use-case 2: same as above, but should work via pki cli command
use-case 3: agents should be able to authorize agent-approved certs via GSSAPI auth rather than certificate authentication in GUI.
use-case 4: agents should be able to authorize agent-approved certs via GSSAPI auth rather than certificate authentication in pki CLI.
pki-bot
commented
4 years ago Comment from mharmsen (@mharmsen) at 2016-02-01 18:32:41
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1303683
pki-bot
commented
4 years ago Comment from nkinder (@nkinder) at 2016-03-22 00:04:20
Pushing this to the 10.3 backlog after discussion with Ade and Fraser. This isn't needed for the first cut of Dogtag 10.3 since FreeIPA will not consume it yet.
pki-bot
commented
4 years ago Comment from mharmsen (@mharmsen) at 2016-04-21 18:02:27
Per CS Bug/Ticket Triage held 04/19/2016: 10.4
Confirmed with Fraser.
pki-bot
commented
4 years ago Comment from ftweedal (@frasertweedale) at 2016-09-16 07:58:26
Note: we also want to add GSS-API support to the pki command line tool,
so that it can use Kerberos ticket to authenticate as an alternative to
X.509 cert.
It may make sense to break that out as a separate ticket, but I'll leave it here as a comment for now.
pki-bot
commented
4 years ago Comment from mharmsen (@mharmsen) at 2016-12-01 21:24:47
Per Offline Triage of 11/30/2016-12/01/2016: 10.4 - blocker
pki-bot
commented
4 years ago Comment from simo (@simo5) at 2017-02-27 14:07:15
Metadata Update from @simo5:
pki-bot
commented
4 years ago Comment from ftweedal (@frasertweedale) at 2017-03-16 03:51:41
7 patches pushed to master
pki-bot
commented
4 years ago Comment from ftweedal (@frasertweedale) at 2017-03-16 03:51:47
Metadata Update from @frasertweedale:
pki-bot
commented
4 years ago Comment from mharmsen (@mharmsen) at 2017-03-30 12:11:02
Per PKI Bug Council of 03/23/2017: downgrading to critical
pki-bot
commented
4 years ago Comment from mharmsen (@mharmsen) at 2017-03-30 12:11:03
Metadata Update from @mharmsen:
pki-bot
commented
4 years ago Comment from ftweedal (@frasertweedale) at 2017-04-19 02:11:35
Five more commits to close this out:
pki-bot
commented
4 years ago Comment from ftweedal (@frasertweedale) at 2017-04-19 02:11:53
Metadata Update from @frasertweedale:
pki-bot
commented
4 years ago Comment from mharmsen (@mharmsen) at 2017-04-19 11:38:33
Metadata Update from @mharmsen:
This issue was migrated from Pagure Issue #1359. Originally filed by simo (@simo5) on 2015-04-30 02:11:48:
When used within the FreeIPA project dogtag should allow authenticating using GSSAPI. Users can be mapped to the FreeIPA directory suffix in this case. Using GSSAPI would allow the IPA framework to foully delegate to dogtag's ACLs some operations requested by users.