Logs are my friend. The server was not listening on 127.0.0.1, so
configuration updates were not propagating to the repository after it
was initially created. Any users that existed prior to it's creation
would work, just not any created afterwards...fun.
I can now grant access to a user to some entities, but only under a very
specific (and unacceptable) manner.
Here is my setup:
The name of my PKI entity and Admin Cert is 'PKI_MTS'. This user has
access to everything.
Let's say I create 2 more users called 'Test Admin' and 'Test User'.
'Test Admin' is set as a PKI Admin, 'Test User' is not, but has all
privileges set through ACLs.
Now, I create 3 CA entities through the server admin window: 'CA1, CA2,
First, let's handle CA1. I log in to the PKI Admin window as 'PKI_MTS'.
I then import the request, configure it, give all ACL permissions to
'Test User', and activate it. I can now log into it only as 'PKI_MTS',
but not the other 2 users.
Ok, now I set up CA2, using 'Test Admin' to import instead of 'PKI_MTS'.
All other settings are the same. Now, I can log in as either 'PKI_MTS'
or 'Test Admin', but 'Test User' still cannot.
Finally, I set up CA3, using 'Test User' this time. All goes well, but I
can only log in as 'PKI_MTS', not the other 2.
I'll illustrate it graphically ('+' denotes working, 'X' not working):
User CA1 CA2 CA3
PKI Admin Window
PKI_MTS + + + +
Test Admin X + X
Test User X X X
Does anyone have any clue why this works this way? I've granted 'Test
User' EVERY possible ACL permission, and they can't log in to any CA
entity. 'Test Admin', as a PKI Admin, should be able to log in to
anything that PKI_MTS can, but it can only log in to a CA whose request
it signed/imported. PKI_MTS can do anything and everything.
What is the point of having separate users if they cannot have access to
anything? I want to lock up the 'PKI_MTS' key, and just have a very
limited user to handle the day-to-day administration of the CAs and RAs.
Making another admin user is not a good solution at all, since someone
could wreak havoc with that kind of access.
I am having trouble with giving new users access to certain entities. No
matter what I do, any new user I create only has access to the PKI
Administration entity, but not anything else (CAs, RAs, etc.). This is
the error I receive when I try to log in to anything other than that:
Error sent by PKI server: #3039
You are not allowed to perform this action
I receive this error even if the user is created as a PKI admin. I've
tried that, creating as a regular user, giving them all ACL permissions,
giving them none, it doesn't matter. They work fine logging into the PKI
Admin, just not into anything else. The only user that can is the first
one that was created with the Admin entity.
Does anyone have any clues? Something has to be wrong here, and I'm just