5.4. 定义 CA ACL 以控制对证书配置文件的访问
按照以下流程,使用 caacl
工具定义 CA 访问控制列表(ACL)规则,以允许组中的用户访问自定义证书配置文件。在这种情况下,流程描述了如何创建 S/MIME 用户的组和 CA ACL,以允许该组中的用户访问 smime
证书配置文件。
先决条件
- 确保您已获取 IdM 管理员的凭据。
流程
为证书配置集的用户创建一个新组:
$ ipa group-add smime_users_group --------------------------------- Added group "smime users group" --------------------------------- Group name: smime_users_group GID: 75400001
创建一个新用户来添加到
smime_user_group
组:$ ipa user-add smime_user First name: smime Last name: user ---------------------- Added user "smime_user" ---------------------- User login: smime_user First name: smime Last name: user Full name: smime user Display name: smime user Initials: TU Home directory: /home/smime_user GECOS: smime user Login shell: /bin/sh Principal name: smime_user@IDM.EXAMPLE.COM Principal alias: smime_user@IDM.EXAMPLE.COM Email address: smime_user@idm.example.com UID: 1505000004 GID: 1505000004 Password: False Member of groups: ipausers Kerberos keys available: False
将
smime_user
添加到smime_users_group
组:$ ipa group-add-member smime_users_group --users=smime_user Group name: smime_users_group GID: 1505000003 Member users: smime_user ------------------------- Number of members added 1 -------------------------
创建 CA ACL 以允许组中的用户访问证书配置集:
$ ipa caacl-add smime_acl ------------------------ Added CA ACL "smime_acl" ------------------------ ACL name: smime_acl Enabled: TRUE
在 CA ACL 中添加用户组:
$ ipa caacl-add-user smime_acl --group smime_users_group ACL name: smime_acl Enabled: TRUE User Groups: smime_users_group ------------------------- Number of members added 1 -------------------------
向 CA ACL 中添加证书配置文件:
$ ipa caacl-add-profile smime_acl --certprofile smime ACL name: smime_acl Enabled: TRUE Profiles: smime User Groups: smime_users_group ------------------------- Number of members added 1 -------------------------
验证
查看您创建的 CA ACL 的详情:
$ ipa caacl-show smime_acl ACL name: smime_acl Enabled: TRUE Profiles: smime User Groups: smime_users_group ...
其它资源
-
请参阅
ipa
man page。 -
请参阅
ipa help caacl
。