[Freeipa-devel] [PATCHES 0001-0011 v3] Profile management
Martin Basti
mbasti at redhat.com
Thu May 21 12:16:22 UTC 2015
On 20/05/15 16:41, Fraser Tweedale wrote:
> Hi Honza, Martin et al,
>
> Latest patches attached. On top of previous patches (most review
> matters addressed**) patches 0008..0011 add support for profiles and
> user certificates to `ipa cert-request'.
>
> ** those that were not are being tracked at [1]; please add anything
> I missed.
>
> Some points to note:
>
> - usercertificate is not yet a multi-valued attribute for users,
> hosts and services.
>
> QUESTION - we do want to allow multiple certificates for all
> principal types, not just users? Or have I got that wrong.
>
> - "DN and SAN match principal" checks are not implemented for users
> yet.
>
> - ACL was added to allow user principals to request their own
> certificates, however, this will be further subject to CA/profile
> ACLs which are to come.
>
> - Pursuant to [2] revocation logic was removed from `cert-request'
>
> [1] http://idm.etherpad.corp.redhat.com/rhel72-cert-mgmt-progress
> [2] http://www.freeipa.org/page/V4/User_Certificates#Revocation_of_the_Certificates
>
> Thanks,
> Fraser
I tried upgrade and:
Updating managed permissions for certprofile
Upgrade failed with targetattr "ipacertprofilestoreissued" does not
exist in schema. Please add attributeTypes "ipacertprofilestoreissued"
to schema if necessary. ACL Syntax Error(-5):(targetattr = \22cn ||
description || ipacertprofilestoreissued\22)(targetfilter =
\22(objectclass=ipacertprofile)\22)(version 3.0;acl
\22permission:System: Modify Certificate Profile\22;allow (write)
groupdn = \22ldap:///cn=System: Modify Certificate
Profile,cn=permissions,cn=pbac,dc=abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com\22;):
Invalid syntax.
[error] RuntimeError: targetattr "ipacertprofilestoreissued" does not
exist in schema. Please add attributeTypes "ipacertprofilestoreissued"
to schema if necessary. ACL Syntax Error(-5):(targetattr = \22cn ||
description || ipacertprofilestoreissued\22)(targetfilter =
\22(objectclass=ipacertprofile)\22)(version 3.0;acl
\22permission:System: Modify Certificate Profile\22;allow (write)
groupdn = \22ldap:///cn=System: Modify Certificate
Profile,cn=permissions,cn=pbac,dc=abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com\22;):
Invalid syntax.
[cleanup]: stopping directory server
[cleanup]: restoring configuration
I cannot find the "ipacertprofilestoreissued" in any IPA schema file.
Did I miss something?
--
Martin Basti
More information about the Freeipa-devel
mailing list