此内容没有您所选择的语言版本。
Chapter 12. Identity: Delegating Access to Hosts and Services
As discussed in Section 1.3, “Relationships Between Servers and Clients”, within the IdM domain, manage means being able to retrieve a keytab and certificates for another host or service. Every host and service has a
managedby
entry which lists what hosts or services can manage it. By default, a host can manage itself and all of its services. It is also possible to allow a host to manage other hosts, or services on other hosts, by updating the appropriate delegations or providing a suitable managedby
entry.
An IdM service can be managed from any IdM host, as long as that host has been granted, or delegated, permission to access the service. Likewise, hosts can be delegated permissions to other hosts within the domain.
Figure 12.1. Host and Service Delegation
Note
If a host is delegated authority to another host through a
managedBy
entry, it does not mean that the host has also been delegated management for all services on that host. Each delegation has to be performed independently.
12.1. Delegating Service Management
A host is delegated control over a service using the
service-add-host
command. There are two parts to delegating the service: specifying the principal and identifying the hosts (in a comma-separated list) with control:
# ipa service-add-host principal --hosts=hostnames
For example:
# ipa service-add-host http/web.example.com --hosts=client1.example.com
Once the host is delegated authority, the host principal can be used to manage the service:
# kinit -kt /etc/krb5.keytab host/`hostname` # ipa-getkeytab -s `hostname` -k /tmp/test.keytab -p http/web.example.com Keytab successfully retrieved and stored in: /tmp/test.keytab
To create a ticket for this service, create a certificate request on the host with the delegated authority and use the
cert-request
command to create a service entry and load the certification information:
# ipa cert-request --add --principal=http/web.example.com web.csr Certificate: MIICETCCAXqgA...[snip] Subject: CN=web.example.com,O=EXAMPLE.COM Issuer: CN=EXAMPLE.COM Certificate Authority Not Before: Tue Feb 08 18:51:51 2011 UTC Not After: Mon Feb 08 18:51:51 2016 UTC Fingerprint (MD5): c1:46:8b:29:51:a6:4c:11:cd:81:cb:9d:7c:5e:84:d5 Fingerprint (SHA1): 01:43:bc:fa:b9:d8:30:35:ee:b6:54:dd:a4:e7:d2:11:b1:9d:bc:38 Serial number: 1005