[Freeipa-devel] [PATCHES 0001-0013 v5] Profiles and CA ACLs

Martin Basti mbasti at redhat.com
Thu May 28 09:48:52 UTC 2015 

On 27/05/15 16:04, Fraser Tweedale wrote:
> Hello all,
>
> Fresh certificate management patchset; Changelog:
>
> - Now depends on patch freeipa-ftweedal-0014 for correct
>    cert-request behaviour with host and service principals.
>
> - Updated Dogtag dependency to 10.2.4-1.  Should should be in f22
>    soon, but for f22 right now or for f21, please grab from my copr:
>    https://copr.fedoraproject.org/coprs/ftweedal/freeipa/
>
>    Martin^1 could you please add to the quasi-official freeipa copr?
>    SRPM lives at https://frase.id.au/pki-core-10.2.4-1.fc21.src.rpm.
>
> - cert-request now verifies that for user principals, CSR CN matches
>    uid and, DN emailAddress and SAN rfc822Name match user's email
>    address, if either of those is present.
>
> - Fixed one or two other sneaky little bugs.
>
> On Wed, May 27, 2015 at 01:59:30AM +1000, Fraser Tweedale wrote:
>> Hi all,
>>
>> Please find attached the latest certificate management patchset,
>> which introduces the `caacl' plugin and various fixes and
>> improvement to earlier patches.
>>
>> One important change to earlier patches is reverting the name of the
>> default profile to 'caIPAserviceCert' and using the existing
>> instance of this profile on upgrade (but not install) in case it has
>> been modified.
>>
>> Other notes:
>>
>> - Still have changes in ipa-server-install (fewer lines now, though)
>>
>> - Still have the ugly import hack.  It is not a high priority for
>>    me, i.e. I think it should wait until after alpha
>>
>> - Still need to update 'service' and 'host' plugins to support
>>    multiple certificates.  (The userCertificate attribute schema
>>    itself is multi-valued, so there are no schema issues here)
>>
>> - The TODOs in [1]; mostly certprofile CLI conveniences and
>>    supporting multiple profiles for hosts and services (which
>>    requires changes to framework only, not schema).
>>    [1]: http://idm.etherpad.corp.redhat.com/rhel72-cert-mgmt-progress
>>
>> Happy reviewing!  I am pleased with the initial cut of the caacl
>> plugin but I'm sure you will find some things to be fixed :)
>>
>> Cheers,
>> Fraser

[root at vm-093 ~]#  ipa-replica-prepare vm-094.example.com --ip-address 
10.34.78.94
Directory Manager (existing master) password:

Preparing replica for vm-094.example.com from vm-093.example.com
Creating SSL certificate for the Directory Server
not well-formed (invalid token): line 2, column 14

I cannot create replica file.
It work on the upgraded server, but it doesn't work on the newly 
installed server.
I'm not sure if this causes your patches which modifies the 
ca-installer, or the newer version of dogtag.

Or if there was any other changes in master, I will continue to 
investigate with new RPM from master branch.

Martin^2

-- 
Martin Basti

More information about the Freeipa-devel mailing list