[Freeipa-devel] [PATCHES 0001-0011 v3] Profile management
Martin Basti
mbasti at redhat.com
Thu May 21 12:46:20 UTC 2015
On 21/05/15 14:31, Martin Basti wrote:
> On 21/05/15 14:16, Martin Basti wrote:
>> On 20/05/15 16:41, Fraser Tweedale wrote:
>>> Hi Honza, Martin et al,
>>>
>>> Latest patches attached. On top of previous patches (most review
>>> matters addressed**) patches 0008..0011 add support for profiles and
>>> user certificates to `ipa cert-request'.
>>>
>>> ** those that were not are being tracked at [1]; please add anything
>>> I missed.
>>>
>>> Some points to note:
>>>
>>> - usercertificate is not yet a multi-valued attribute for users,
>>> hosts and services.
>>>
>>> QUESTION - we do want to allow multiple certificates for all
>>> principal types, not just users? Or have I got that wrong.
>>>
>>> - "DN and SAN match principal" checks are not implemented for users
>>> yet.
>>>
>>> - ACL was added to allow user principals to request their own
>>> certificates, however, this will be further subject to CA/profile
>>> ACLs which are to come.
>>>
>>> - Pursuant to [2] revocation logic was removed from `cert-request'
>>>
>>> [1] http://idm.etherpad.corp.redhat.com/rhel72-cert-mgmt-progress
>>> [2]
>>> http://www.freeipa.org/page/V4/User_Certificates#Revocation_of_the_Certificates
>>>
>>> Thanks,
>>> Fraser
>> I tried upgrade and:
>>
>> Updating managed permissions for certprofile
>> Upgrade failed with targetattr "ipacertprofilestoreissued" does not
>> exist in schema. Please add attributeTypes
>> "ipacertprofilestoreissued" to schema if necessary. ACL Syntax
>> Error(-5):(targetattr = \22cn || description ||
>> ipacertprofilestoreissued\22)(targetfilter =
>> \22(objectclass=ipacertprofile)\22)(version 3.0;acl
>> \22permission:System: Modify Certificate Profile\22;allow (write)
>> groupdn = \22ldap:///cn=System: Modify Certificate
>> Profile,cn=permissions,cn=pbac,dc=abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com\22;):
>> Invalid syntax.
>> [error] RuntimeError: targetattr "ipacertprofilestoreissued" does
>> not exist in schema. Please add attributeTypes
>> "ipacertprofilestoreissued" to schema if necessary. ACL Syntax
>> Error(-5):(targetattr = \22cn || description ||
>> ipacertprofilestoreissued\22)(targetfilter =
>> \22(objectclass=ipacertprofile)\22)(version 3.0;acl
>> \22permission:System: Modify Certificate Profile\22;allow (write)
>> groupdn = \22ldap:///cn=System: Modify Certificate
>> Profile,cn=permissions,cn=pbac,dc=abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com\22;):
>> Invalid syntax.
>> [cleanup]: stopping directory server
>> [cleanup]: restoring configuration
>>
>> I cannot find the "ipacertprofilestoreissued" in any IPA schema file.
>>
>> Did I miss something?
>>
>>
> Sorry, I found it, stupid me.
> I will investigate why upgrade failed then.
>
Bug in ipa-server-upgrade, thank you to find this issue :-)
--
Martin Basti
More information about the Freeipa-devel
mailing list