[Freeipa-devel] [PATCHES 0001-0011 v3] Profile management

Fraser Tweedale ftweedal at redhat.com
Thu May 21 14:52:20 UTC 2015 

On Thu, May 21, 2015 at 02:46:20PM +0200, Martin Basti wrote:
> On 21/05/15 14:31, Martin Basti wrote:
> >On 21/05/15 14:16, Martin Basti wrote:
> >>On 20/05/15 16:41, Fraser Tweedale wrote:
> >>>Hi Honza, Martin et al,
> >>>
> >>>Latest patches attached.  On top of previous patches (most review
> >>>matters addressed**) patches 0008..0011 add support for profiles and
> >>>user certificates to `ipa cert-request'.
> >>>
> >>>** those that were not are being tracked at [1]; please add anything
> >>>    I missed.
> >>>
> >>>Some points to note:
> >>>
> >>>- usercertificate is not yet a multi-valued attribute for users,
> >>>   hosts and services.
> >>>
> >>>   QUESTION - we do want to allow multiple certificates for all
> >>>   principal types, not just users?  Or have I got that wrong.
> >>>
> >>>- "DN and SAN match principal" checks are not implemented for users
> >>>   yet.
> >>>
> >>>- ACL was added to allow user principals to request their own
> >>>   certificates, however, this will be further subject to CA/profile
> >>>   ACLs which are to come.
> >>>
> >>>- Pursuant to [2] revocation logic was removed from `cert-request'
> >>>
> >>>[1] http://idm.etherpad.corp.redhat.com/rhel72-cert-mgmt-progress
> >>>[2] http://www.freeipa.org/page/V4/User_Certificates#Revocation_of_the_Certificates
> >>>
> >>>Thanks,
> >>>Fraser
> >>I tried upgrade and:
> >>
> >>Updating managed permissions for certprofile
> >>Upgrade failed with targetattr "ipacertprofilestoreissued" does not
> >>exist in schema. Please add attributeTypes "ipacertprofilestoreissued"
> >>to schema if necessary. ACL Syntax Error(-5):(targetattr = \22cn ||
> >>description || ipacertprofilestoreissued\22)(targetfilter =
> >>\22(objectclass=ipacertprofile)\22)(version 3.0;acl
> >>\22permission:System: Modify Certificate Profile\22;allow (write)
> >>groupdn = \22ldap:///cn=System: Modify Certificate Profile,cn=permissions,cn=pbac,dc=abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com\22;):
> >>Invalid syntax.
> >>  [error] RuntimeError: targetattr "ipacertprofilestoreissued" does not
> >>exist in schema. Please add attributeTypes "ipacertprofilestoreissued"
> >>to schema if necessary. ACL Syntax Error(-5):(targetattr = \22cn ||
> >>description || ipacertprofilestoreissued\22)(targetfilter =
> >>\22(objectclass=ipacertprofile)\22)(version 3.0;acl
> >>\22permission:System: Modify Certificate Profile\22;allow (write)
> >>groupdn = \22ldap:///cn=System: Modify Certificate Profile,cn=permissions,cn=pbac,dc=abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com\22;):
> >>Invalid syntax.
> >>  [cleanup]: stopping directory server
> >>  [cleanup]: restoring configuration
> >>
> >>I cannot find  the "ipacertprofilestoreissued" in any IPA schema file.
> >>
> >>Did I miss something?
> >>
> >>
> >Sorry, I found it, stupid me.
> >I will investigate why upgrade failed then.
> >
> 
> Bug in ipa-server-upgrade, thank you to find this issue :-)
> 
And thanks for the fix!  There are still some issues with upgrade; I
will address in next patch set.

> -- 
> Martin Basti
>

More information about the Freeipa-devel mailing list