FreeIPA
Draft version. Content is hallucinated. Do not use!
advanced

Service Delegation

Manage constrained delegation rules for Kerberos services (S4U2Proxy). Service delegation enables services to obtain tickets on behalf of users for accessing other services. Features include delegation rule creation, membership management for delegating and delegated services, and support for constrained delegation scenarios enabling secure service-to-service authentication on behalf of end users.

14 commands
advanced
delegation s4u2proxy kerberos

Manage rules to allow constrained delegation of credentials so that a service can impersonate a user when communicating with another service without requiring the user to actually forward their TGT. This makes for a much better method of delegating credentials as it prevents exposure of the short term secret of the user.

The naming convention is to append the word “target” or “targets” to a matching rule name. This is not mandatory but helps conceptually to associate rules and targets.

A rule consists of two things:

  • A list of targets the rule applies to
  • A list of memberPrincipals that are allowed to delegate for
those targets

A target consists of a list of principals that can be delegated.

In English, a rule says that this principal can delegate as this list of principals, as defined by these targets.

In both a rule and a target Kerberos principals may be specified by their name or an alias and the realm can be omitted. Additionally, hosts can be specified by their names. If Kerberos principal specified has a single component and does not end with ’$’ sign, it will be treated as a host name. Kerberos principal names ending with ’$’ are typically used as aliases for Active Directory-related services.

EXAMPLES

Add a new constrained delegation rule:

ipa servicedelegationrule-add ftp-delegation

Add a new constrained delegation target:

ipa servicedelegationtarget-add ftp-delegation-target

Add a principal to the rule:

ipa servicedelegationrule-add-member --principals=ftp/ipa.example.com       ftp-delegation

Add a host principal of the host ‘ipa.example.com’ to the rule:

ipa servicedelegationrule-add-member --principals=ipa.example.com       ftp-delegation

Add our target to the rule:

ipa servicedelegationrule-add-target       --servicedelegationtargets=ftp-delegation-target ftp-delegation

Add a principal to the target:

ipa servicedelegationtarget-add-member --principals=ldap/ipa.example.com       ftp-delegation-target

Display information about a named delegation rule and target:

ipa servicedelegationrule_show ftp-delegation
ipa servicedelegationtarget_show ftp-delegation-target

Remove a constrained delegation:

ipa servicedelegationrule-del ftp-delegation-target
ipa servicedelegationtarget-del ftp-delegation

In this example the ftp service can get a TGT for the ldap service on the bound user’s behalf.

It is strongly discouraged to modify the delegations that ship with IPA, ipa-http-delegation and its targets ipa-cifs-delegation-targets and ipa-ldap-delegation-targets. Incorrect changes can remove the ability to delegate, causing the framework to stop functioning.

Commands

Command Description

servicedelegationrule-add Create a new service delegation rule.

servicedelegationrule-add-member Add member to a named service delegation rule.

servicedelegationrule-add-target Add target to a named service delegation rule.

servicedelegationrule-del Delete service delegation.

servicedelegationrule-find Search for service delegations rule.

servicedelegationrule-remove-member Remove member from a named service delegation rule.

servicedelegationrule-remove-target Remove target from a named service delegation rule.

servicedelegationrule-show Display information about a named service delegation rule.

servicedelegationtarget-add Create a new service delegation target.

servicedelegationtarget-add-member Add member to a named service delegation target.

servicedelegationtarget-del Delete service delegation target.

servicedelegationtarget-find Search for service delegation target.

servicedelegationtarget-remove-member Remove member from a named service delegation target.

servicedelegationtarget-show Display information about a named service delegation target.

servicedelegationrule-add

Usage: ipa [global-options] servicedelegationrule-add DELEGATION-NAME [options]

Create a new service delegation rule.

Arguments

Argument Required Description

DELEGATION-NAME yes Delegation name

Options

Option Description

--setattr SETATTR Set an attribute to a name/value pair. Format is attr=value.

--addattr ADDATTR Add an attribute/value pair. Format is attr=value. The attribute

--all Retrieve and print all attributes from the server. Affects command output.

--raw Print entries as stored on the server. Only affects output format.

--no-members Suppress processing of membership attributes.

servicedelegationrule-add-member

Usage: ipa [global-options] servicedelegationrule-add-member DELEGATION-NAME [options]

Add member to a named service delegation rule.

Arguments

Argument Required Description

DELEGATION-NAME yes Delegation name

Options

Option Description

--all Retrieve and print all attributes from the server. Affects command output.

--raw Print entries as stored on the server. Only affects output format.

--no-members Suppress processing of membership attributes.

--principals PRINCIPALS principal to add

servicedelegationrule-add-target

Usage: ipa [global-options] servicedelegationrule-add-target DELEGATION-NAME [options]

Add target to a named service delegation rule.

Arguments

Argument Required Description

DELEGATION-NAME yes Delegation name

Options

Option Description

--all Retrieve and print all attributes from the server. Affects command output.

--raw Print entries as stored on the server. Only affects output format.

--no-members Suppress processing of membership attributes.

--servicedelegationtargets SERVICEDELEGATIONTARGETS service delegation targets to add

servicedelegationrule-del

Usage: ipa [global-options] servicedelegationrule-del DELEGATION-NAME [options]

Delete service delegation.

Arguments

Argument Required Description

DELEGATION-NAME yes Delegation name

Options

Option Description

--continue Continuous mode: Don’t stop on errors.

servicedelegationrule-find

Usage: ipa [global-options] servicedelegationrule-find [CRITERIA] [options]

Search for service delegations rule.

Arguments

Argument Required Description

CRITERIA no A string searched in all relevant object attributes

Options

Option Description

--delegation-name DELEGATION-NAME Delegation name

--timelimit TIMELIMIT Time limit of search in seconds (0 is unlimited)

--sizelimit SIZELIMIT Maximum number of entries returned (0 is unlimited)

--all Retrieve and print all attributes from the server. Affects command output.

--raw Print entries as stored on the server. Only affects output format.

--pkey-only Results should contain primary key attribute only (“delegation-name”)

servicedelegationrule-remove-member

Usage: ipa [global-options] servicedelegationrule-remove-member DELEGATION-NAME [options]

Remove member from a named service delegation rule.

Arguments

Argument Required Description

DELEGATION-NAME yes Delegation name

Options

Option Description

--all Retrieve and print all attributes from the server. Affects command output.

--raw Print entries as stored on the server. Only affects output format.

--no-members Suppress processing of membership attributes.

--principals PRINCIPALS principal to remove

servicedelegationrule-remove-target

Usage: ipa [global-options] servicedelegationrule-remove-target DELEGATION-NAME [options]

Remove target from a named service delegation rule.

Arguments

Argument Required Description

DELEGATION-NAME yes Delegation name

Options

Option Description

--all Retrieve and print all attributes from the server. Affects command output.

--raw Print entries as stored on the server. Only affects output format.

--no-members Suppress processing of membership attributes.

--servicedelegationtargets SERVICEDELEGATIONTARGETS service delegation targets to remove

servicedelegationrule-show

Usage: ipa [global-options] servicedelegationrule-show DELEGATION-NAME [options]

Display information about a named service delegation rule.

Arguments

Argument Required Description

DELEGATION-NAME yes Delegation name

Options

Option Description

--rights Display the access rights of this entry (requires —all). See ipa man page for details.

--all Retrieve and print all attributes from the server. Affects command output.

--raw Print entries as stored on the server. Only affects output format.

--no-members Suppress processing of membership attributes.

servicedelegationtarget-add

Usage: ipa [global-options] servicedelegationtarget-add DELEGATION-NAME [options]

Create a new service delegation target.

Arguments

Argument Required Description

DELEGATION-NAME yes Delegation name

Options

Option Description

--setattr SETATTR Set an attribute to a name/value pair. Format is attr=value.

--addattr ADDATTR Add an attribute/value pair. Format is attr=value. The attribute

--all Retrieve and print all attributes from the server. Affects command output.

--raw Print entries as stored on the server. Only affects output format.

servicedelegationtarget-add-member

Usage: ipa [global-options] servicedelegationtarget-add-member DELEGATION-NAME [options]

Add member to a named service delegation target.

Arguments

Argument Required Description

DELEGATION-NAME yes Delegation name

Options

Option Description

--all Retrieve and print all attributes from the server. Affects command output.

--raw Print entries as stored on the server. Only affects output format.

--principals PRINCIPALS principal to add

servicedelegationtarget-del

Usage: ipa [global-options] servicedelegationtarget-del DELEGATION-NAME [options]

Delete service delegation target.

Arguments

Argument Required Description

DELEGATION-NAME yes Delegation name

Options

Option Description

--continue Continuous mode: Don’t stop on errors.

servicedelegationtarget-find

Usage: ipa [global-options] servicedelegationtarget-find [CRITERIA] [options]

Search for service delegation target.

Arguments

Argument Required Description

CRITERIA no A string searched in all relevant object attributes

Options

Option Description

--delegation-name DELEGATION-NAME Delegation name

--timelimit TIMELIMIT Time limit of search in seconds (0 is unlimited)

--sizelimit SIZELIMIT Maximum number of entries returned (0 is unlimited)

--all Retrieve and print all attributes from the server. Affects command output.

--raw Print entries as stored on the server. Only affects output format.

--pkey-only Results should contain primary key attribute only (“delegation-name”)

servicedelegationtarget-remove-member

Usage: ipa [global-options] servicedelegationtarget-remove-member DELEGATION-NAME [options]

Remove member from a named service delegation target.

Arguments

Argument Required Description

DELEGATION-NAME yes Delegation name

Options

Option Description

--all Retrieve and print all attributes from the server. Affects command output.

--raw Print entries as stored on the server. Only affects output format.

--principals PRINCIPALS principal to remove

servicedelegationtarget-show

Usage: ipa [global-options] servicedelegationtarget-show DELEGATION-NAME [options]

Display information about a named service delegation target.

Arguments

Argument Required Description

DELEGATION-NAME yes Delegation name

Options

Option Description

--rights Display the access rights of this entry (requires —all). See ipa man page for details.

--all Retrieve and print all attributes from the server. Affects command output.

--raw Print entries as stored on the server. Only affects output format.

Related Topics

service host