[Freeipa-devel] [PATCHES 0001-0013 v5.1] Profiles and CA ACLs

Fraser Tweedale ftweedal at redhat.com
Mon Jun 1 07:22:28 UTC 2015 

On Mon, Jun 01, 2015 at 05:10:58PM +1000, Fraser Tweedale wrote:
> On Fri, May 29, 2015 at 01:03:46PM +0200, Martin Kosek wrote:
> > On 05/29/2015 11:21 AM, Martin Basti wrote:
> > >On 29/05/15 06:17, Fraser Tweedale wrote:
> > >>On Thu, May 28, 2015 at 02:42:53PM +0200, Martin Basti wrote:
> > >>>On 28/05/15 11:48, Martin Basti wrote:
> > >>>>On 27/05/15 16:04, Fraser Tweedale wrote:
> > >>>>>Hello all,
> > >>>>>
> > >>>>>Fresh certificate management patchset; Changelog:
> > >>>>>
> > >>>>>- Now depends on patch freeipa-ftweedal-0014 for correct
> > >>>>>cert-request behaviour with host and service principals.
> > >>>>>
> > >>>>>- Updated Dogtag dependency to 10.2.4-1.  Should should be in
> > >>>>>f22 soon, but for f22 right now or for f21, please grab from my
> > >>>>>copr: https://copr.fedoraproject.org/coprs/ftweedal/freeipa/
> > >>>>>
> > >>>>>   Martin^1 could you please add to the quasi-official freeipa
> > >>>>>   copr?  SRPM lives at
> > >>>>>   https://frase.id.au/pki-core-10.2.4-1.fc21.src.rpm.
> > >>>>>
> > >>>>>- cert-request now verifies that for user principals, CSR CN
> > >>>>>matches uid and, DN emailAddress and SAN rfc822Name match user's
> > >>>>>email address, if either of those is present.
> > >>>>>
> > >>>>>- Fixed one or two other sneaky little bugs.
> > >>>>>
> > >>>>>On Wed, May 27, 2015 at 01:59:30AM +1000, Fraser Tweedale wrote:
> > >>>>>>Hi all,
> > >>>>>>
> > >>>>>>Please find attached the latest certificate management
> > >>>>>>patchset, which introduces the `caacl' plugin and various fixes
> > >>>>>>and improvement to earlier patches.
> > >>>>>>
> > >>>>>>One important change to earlier patches is reverting the name
> > >>>>>>of the default profile to 'caIPAserviceCert' and using the
> > >>>>>>existing instance of this profile on upgrade (but not install)
> > >>>>>>in case it has been modified.
> > >>>>>>
> > >>>>>>Other notes:
> > >>>>>>
> > >>>>>>- Still have changes in ipa-server-install (fewer lines now,
> > >>>>>>though)
> > >>>>>>
> > >>>>>>- Still have the ugly import hack.  It is not a high priority
> > >>>>>>for me, i.e. I think it should wait until after alpha
> > >>>>>>
> > >>>>>>- Still need to update 'service' and 'host' plugins to support
> > >>>>>>multiple certificates.  (The userCertificate attribute schema
> > >>>>>>itself is multi-valued, so there are no schema issues here)
> > >>>>>>
> > >>>>>>- The TODOs in [1]; mostly certprofile CLI conveniences and
> > >>>>>>supporting multiple profiles for hosts and services (which
> > >>>>>>requires changes to framework only, not schema).  [1]:
> > >>>>>>http://idm.etherpad.corp.redhat.com/rhel72-cert-mgmt-progress
> > >>>>>>
> > >>>>>>Happy reviewing!  I am pleased with the initial cut of the
> > >>>>>>caacl plugin but I'm sure you will find some things to be fixed
> > >>>>>>:)
> > >>>>>>
> > >>>>>>Cheers, Fraser
> > >>>>[root at vm-093 ~]#  ipa-replica-prepare vm-094.example.com
> > >>>>--ip-address 10.34.78.94 Directory Manager (existing master)
> > >>>>password:
> > >>>>
> > >>>>Preparing replica for vm-094.example.com from vm-093.example.com
> > >>>>Creating SSL certificate for the Directory Server not well-formed
> > >>>>(invalid token): line 2, column 14
> > >>>>
> > >>>>I cannot create replica file.  It work on the upgraded server,
> > >>>>but it doesn't work on the newly installed server.  I'm not sure
> > >>>>if this causes your patches which modifies the ca-installer, or
> > >>>>the newer version of dogtag.
> > >>>>
> > >>>>Or if there was any other changes in master, I will continue to
> > >>>>investigate with new RPM from master branch.
> > >>>>
> > >>>>Martin^2
> > >>>>
> > >>>ipa-replica-prepare works for: * master branch * master branch +
> > >>>pki-ca 10.2.4-1
> > >>>
> > >>>So something in your patches is breaking it
> > >>>
> > >>>Martin^2
> > >>>
> > >>Martin, master + my patches with pki 10.2.4-1 is working for me on
> > >>f21 and f22.  Can you provide ipa-replica-prepare --debug output and
> > >>Dogtag debug log?  ( /var/log/pki/pki-tomcat/ca/debug )
> > >>
> > >>Thanks,
> > >>Fraser
> > >I can not reproduce it today. And I already recycled the VMs from yesterday. :-(
> > >
> > 
> > In that case I would suggest ACKing&pushing the patch and fixing the bug if
> > it comes again. The tree may now be a bit unstable, given the number of
> > patches going in.
> > 
> > My main motivation here is to unblock Fraser.
> > 
> > Thanks,
> > Martin
> 
> Rebased patchset attached; no other changes.

Heads up: I just discovered I have introduced a bug with
ipa-replica-install, when it is spawning the CA instance.  I think
replication it only causes issues with ``--setup-ca``.

I will try and sort it out tomorrow or later tonight (I have to head
out for a few hours now, though); and I'm not suggesting it should
block the push but it's something to be aware of.

Cheers,
Fraser

More information about the Freeipa-devel mailing list