1905374 – restrict EE profile list and enrollment submission per LDAP group without immediate issuance [rhel-7.9.z]

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1905374 - restrict EE profile list and enrollment submission per LDAP group without immediate issuance [rhel-7.9.z]

Summary: restrict EE profile list and enrollment submission per LDAP group without imm...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	pki-core
Sub Component:
Version:	7.9
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	7.9
Assignee:	Christina Fu
QA Contact:	PKI QE
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1976010
TreeView+	depends on / blocked

Reported:	2020-12-08 08:03 UTC by Marc Sauton
Modified:	2024-10-01 17:10 UTC (History)
CC List:	5 users (show)
Fixed In Version:	pki-core-10.5.18-15.el7_9, pki-core-10.5.18-15.el7pki
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	1976010 (view as bug list)
Environment:
Last Closed:	2021-07-21 01:10:20 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Marc Sauton 2020-12-08 08:03:42 UTC

Description of problem:

create roles for Audit, Request and Approve.
Request role should not be able to approve.

No automatic issuance, the CA "Certificate Manager Agents" can approve certificates, and EE enrollment is authenticated

the following example provides an automatic issuance as expected, but I need authentication and authorization only to enroll in EE, no immediate issuance (an agent will approve in a second step).


Version-Release number of selected component (if applicable):
RHEL-7
RHCS-9

How reproducible:
yes


Steps to Reproduce:

1. install a CA

2. add a custom LDAP group called "requestors", for example

dn: cn=requestors,ou=groups,o=subca1-CA
description: requestors for Certificate Manager
objectClass: top
objectClass: groupOfUniqueNames
cn: requestors
uniqueMember: uid=requestor1,ou=people,o=subca1-CA

dn: uid=requestor1,ou=people,o=subca1-CA
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: cmsuser
uid: requestor1
sn: requestor1
cn: requestor1
mail: requestor1
usertype: userType
userstate: 1
userPassword: password


3. review default permissions

ldapsearch -o ldif-wrap=no -LLLxD cn=directory\ manager -w password -b o=subca1-CA cn=aclResources | grep "resourceACLS: certServer.ee."

resourceACLS: certServer.ee.request.ocsp:submit:allow (submit) ipaddress=".*":Any clients can submit ocsp requests
resourceACLS: certServer.ee.certificate:renew,revoke,read,import:allow (renew,revoke,read,import) user="anybody":Anybody may renew,import,revoke,read a certificate
resourceACLS: certServer.ee.certificates:revoke,list:allow (revoke,list) user="anybody":Anybody may revoke, list certificates
resourceACLS: certServer.ee.certchain:download,read:allow (download,read) user="anybody":Anybody may download a certificate chain
resourceACLS: certServer.ee.crl:read,add:allow (read,add) user="anybody":Anybody may add or retrieve CRL
resourceACLS: certServer.ee.request.enrollment:submit:allow (submit) user="anybody":Anybody may submit an enrollment request
resourceACLS: certServer.ee.requestStatus:read:allow (read) user="anybody":Anybody may read request status
resourceACLS: certServer.ee.request.revocation:submit:allow (submit) user="anybody":Anybody may submit a revocation request
resourceACLS: certServer.ee.profile:submit,read:allow (submit,read) user="anybody":Anybody may submit certificate profiles
resourceACLS: certServer.ee.profiles:list:allow (list) user="anybody":Anybody may list certificate profiles


4. try to customize some of those permissions:

- to restrict the end entity pages "profile list" to the LDAP requestors group:

dn: cn=aclResources,o=subca1-CA
changetype: modify
delete: resourceACLS
resourceACLS: certServer.ee.profiles:list:allow (list) user="anybody":Anybody may list certificate profiles
-
add: resourceACLS
resourceACLS: certServer.ee.profiles:list:allow (list) group="requestors":Requestors may list certificate profiles


- to restrict the end entity pages to access any specific profile, to the LDAP requestors group:

dn: cn=aclResources,o=subca1-CA
changetype: modify
delete: resourceACLS
resourceACLS: certServer.ee.profile:submit,read:allow (submit,read) user="anybody":Anybody may submit certificate profiles
-
add: resourceACLS
resourceACLS: certServer.ee.profile:submit,read:allow (submit,read) group="requestors":Requestors may submit certificate profiles


5- customize an enrollment profile to add LDAP authentication for the LDAP group requestors

/var/lib/pki/subca1/ca/profiles/ca/caUserCert.cfg
auth.instance_id=UserDirEnrollment
authz.acl=group="requestors" || group="Enterprise CA Administrators"


6. stop CA and add the LDAP authentication configuration

/etc/pki/subca1/ca/CS.cfg
auths.instance.UserDirEnrollment.dnpattern=uid=$attr.uid,ou=people,o=subca1-CA
auths.instance.UserDirEnrollment.ldap.basedn=ou=people,o=subca1-CA
auths.instance.UserDirEnrollment.ldap.ldapconn.host=ca1.example.test
auths.instance.UserDirEnrollment.ldap.ldapconn.port=389
auths.instance.UserDirEnrollment.ldap.ldapconn.secureConn=false
auths.instance.UserDirEnrollment.ldap.ldapconn.version=3
auths.instance.UserDirEnrollment.ldap.maxConns=
auths.instance.UserDirEnrollment.ldap.minConns=
auths.instance.UserDirEnrollment.ldapByteAttributes=
auths.instance.UserDirEnrollment.ldapStringAttributes=uid,cn,mail
auths.instance.UserDirEnrollment.pluginName=UidPwdDirAuth


7. start CA


Actual results:

automated issuance, but want agent approval

pki -d ~/.dogtag/subca1.client.dir/ca/alias/ -c password -U https://`hostname`:8443/ -n caadmin client-cert-request uid=guest1 --profile=caUserCert --algorithm rsa --length 2048 --type pkcs10 --username requestor1 --password
Password: 
-----------------------------
Submitted certificate request
-----------------------------
  Request ID: 23
  Type: enrollment
  Request Status: complete
  Operation Result: success
  Certificate ID: 0xe
[root@ca1 ~]# 


correct failed authorization, was not in requestors LDAP group:

pki -d ~/.dogtag/subca1.client.dir/ca/alias/ -c password -U https://`hostname`:8443/ -n caadmin client-cert-request uid=guest1 --profile=caUserCert --algorithm rsa --length 2048 --type pkcs10 --username guest1 --password
Password: 
UnauthorizedException: Authorization failed on resource: group="requestors" || group="Enterprise CA Administrators", operation: {1}
[root@ca1 ~]# 



Expected results:

No automatic issuance, the CA "Certificate Manager Agents" can approve certificates, and EE enrollment is authenticated

Additional info:

Comment 19 errata-xmlrpc 2021-07-21 01:10:20 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (pki-core bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:2809

Note You need to log in before you can comment on or make changes to this bug.