[Freeipa-devel] [PATCHES 0001-0011 v3] Profile management
Martin Kosek
mkosek at redhat.com
Fri May 22 07:06:16 UTC 2015
On 05/21/2015 05:33 PM, Martin Basti wrote:
> On 20/05/15 16:41, Fraser Tweedale wrote:
>> Hi Honza, Martin et al,
>>
>> Latest patches attached. On top of previous patches (most review
>> matters addressed**) patches 0008..0011 add support for profiles and
>> user certificates to `ipa cert-request'.
>>
>> ** those that were not are being tracked at [1]; please add anything
>> I missed.
>>
>> Some points to note:
>>
>> - usercertificate is not yet a multi-valued attribute for users,
>> hosts and services.
It should be multivalued now, for all 3 entities.
>> QUESTION - we do want to allow multiple certificates for all
>> principal types, not just users? Or have I got that wrong.
You have that right (unless I miss something).
> Changing schema can cause issues in future, we already burn ourselves several
> times.
> If you plan to have multi valued attribute in close future, could be better to
> have mutltivalued schema now, instead of make this change in future?
+1. In general, it is better to do the schema right from the day 0, temporary
limitations should be rather solved in framework - that is easier to change.
>>
>> - "DN and SAN match principal" checks are not implemented for users
>> yet.
>>
>> - ACL was added to allow user principals to request their own
>> certificates, however, this will be further subject to CA/profile
>> ACLs which are to come.
>>
>> - Pursuant to [2] revocation logic was removed from `cert-request'
>>
>> [1] http://idm.etherpad.corp.redhat.com/rhel72-cert-mgmt-progress
>> [2]
>> http://www.freeipa.org/page/V4/User_Certificates#Revocation_of_the_Certificates
>>
>> Thanks,
>> Fraser
Thank you too.
Martin
More information about the Freeipa-devel
mailing list