[Freeipa-devel] [PATCH] 348 Remove misleading authorization error message in cert-request with --add
Martin Kosek
mkosek at redhat.com
Wed Oct 8 07:24:06 UTC 2014
On 10/07/2014 06:48 PM, Jan Cholasta wrote:
> Hi,
>
> the attached patch fixes <https://fedorahosted.org/freeipa/ticket/4540>.
>
> The error message is now the generic ACI error message, e.g. "Insufficient
> access: Insufficient 'add' privilege to add the entry
> 'krbprincipalname=something/somehost.example.com at EXAMPLE.COM,cn=services,cn=accounts,dc=example,dc=com'.
>
> "
>
> Honza
Yup, simpler is better in this case. The certmonger tracker seems easier to
understand to me now:
# ipa-getcert list -i 20141008071708
Number of certificates and requests being tracked: 9.
Request ID '20141008071708':
status: CA_REJECTED
ca-error: Server at https://ipa.mkosek-fedora20.test/ipa/xml denied our
request, giving up: 2100 (RPC failed at server. Insufficient access:
Insufficient 'add' privilege to add the entry
'krbprincipalname=test/ipa.mkosek-fedora20.test at MKOSEK-FEDORA20.TEST,cn=services,cn=accounts,dc=mkosek-fedora20,dc=test'.).
stuck: yes
key pair storage:
type=NSSDB,location='/etc/httpd/nssdb',nickname='Server-Cert',token='NSS
Certificate DB'
certificate: type=NSSDB,location='/etc/httpd/nssdb',nickname='Server-Cert'
CA: IPA
issuer:
subject:
expires: unknown
pre-save command:
post-save command:
track: yes
auto-renew: yes
ACK. Pushed to:
master: 8e602eaf46b71ad8f713f549d6a823c70567bb22
ipa-4-1: ed5ffbfd75f3f1a62581c50a2c64d9e75fc74081
ipa-4-0: 80da03a2169de3a78edec42c1eab1f87734f49a7
Martin
More information about the Freeipa-devel
mailing list