[Freeipa-devel] design review: Certificate Profiles
Fraser Tweedale
ftweedal at redhat.com
Sat Apr 18 07:42:35 UTC 2015
On Fri, Apr 17, 2015 at 02:21:16PM +0200, Milan Kubik wrote:
> On 04/16/2015 10:03 AM, Fraser Tweedale wrote:
> >Hi everyone,
> >
> >Please review my Certificate Profiles design proposal:
> >http://www.freeipa.org/page/V4/Certificate_Profiles
> >
> >Let me know what is unclear, what needs expansion, and what is plain
> >wrong :)
> >
> >The schema for storing multiple certificates for a principal is
> >still being discussed but I expect it will be agreed soon, and I
> >will add it to the document.
> >
> >I am revising the sub-CAs design proposal and it will soon be
> >published for review as well.
> >
> >Cheers,
> >Fraser
> >
> Hello Fraser,
>
> I will reiterate one of my concernes from our private mails here for the
> wider audience :)
>
> I'd really like to have a way how to list the profiles managed by IPA other
> than using
> the dogtag REST API directly. Simple wrapper around the api call for
> /ca/rest/profiles[/$id[/raw]]
> endpoints returning a list of IDs [and dumping the profile to file] for the
> sake of consistency,
> since other endpoints are wrapped by ipa commands, would be sufficient for
> me.
>
> This can be also used to query the information (at least the list of IDs)
> when used in the web UI.
>
> I don't know how exactly dogtag is wired into IPA (I've seen that there is
> separate suffix
> on the DS instance) and I don't really need to duplicate any data into the
> defaultNamingContext
> and its subtree.
>
>
> Cheers,
> Milan
>
I thought some more about your suggestion and agree that it makes
sense to keep a record of IPA-managed profiles in the IPA directory,
and whatever attributes IPA needs on a regular basis to avoid
calling out to Dogtag unnecessarily. I'll proposal the schema
shortly.
Cheers,
Fraser
More information about the Freeipa-devel
mailing list