[Freeipa-devel] [PATCHES 0001-0013 v5] Profiles and CA ACLs
Martin Basti
mbasti at redhat.com
Thu May 28 12:42:53 UTC 2015
On 28/05/15 11:48, Martin Basti wrote:
> On 27/05/15 16:04, Fraser Tweedale wrote:
>> Hello all,
>>
>> Fresh certificate management patchset; Changelog:
>>
>> - Now depends on patch freeipa-ftweedal-0014 for correct
>> cert-request behaviour with host and service principals.
>>
>> - Updated Dogtag dependency to 10.2.4-1. Should should be in f22
>> soon, but for f22 right now or for f21, please grab from my copr:
>> https://copr.fedoraproject.org/coprs/ftweedal/freeipa/
>>
>> Martin^1 could you please add to the quasi-official freeipa copr?
>> SRPM lives at https://frase.id.au/pki-core-10.2.4-1.fc21.src.rpm.
>>
>> - cert-request now verifies that for user principals, CSR CN matches
>> uid and, DN emailAddress and SAN rfc822Name match user's email
>> address, if either of those is present.
>>
>> - Fixed one or two other sneaky little bugs.
>>
>> On Wed, May 27, 2015 at 01:59:30AM +1000, Fraser Tweedale wrote:
>>> Hi all,
>>>
>>> Please find attached the latest certificate management patchset,
>>> which introduces the `caacl' plugin and various fixes and
>>> improvement to earlier patches.
>>>
>>> One important change to earlier patches is reverting the name of the
>>> default profile to 'caIPAserviceCert' and using the existing
>>> instance of this profile on upgrade (but not install) in case it has
>>> been modified.
>>>
>>> Other notes:
>>>
>>> - Still have changes in ipa-server-install (fewer lines now, though)
>>>
>>> - Still have the ugly import hack. It is not a high priority for
>>> me, i.e. I think it should wait until after alpha
>>>
>>> - Still need to update 'service' and 'host' plugins to support
>>> multiple certificates. (The userCertificate attribute schema
>>> itself is multi-valued, so there are no schema issues here)
>>>
>>> - The TODOs in [1]; mostly certprofile CLI conveniences and
>>> supporting multiple profiles for hosts and services (which
>>> requires changes to framework only, not schema).
>>> [1]: http://idm.etherpad.corp.redhat.com/rhel72-cert-mgmt-progress
>>>
>>> Happy reviewing! I am pleased with the initial cut of the caacl
>>> plugin but I'm sure you will find some things to be fixed :)
>>>
>>> Cheers,
>>> Fraser
>
> [root at vm-093 ~]# ipa-replica-prepare vm-094.example.com --ip-address
> 10.34.78.94
> Directory Manager (existing master) password:
>
> Preparing replica for vm-094.example.com from vm-093.example.com
> Creating SSL certificate for the Directory Server
> not well-formed (invalid token): line 2, column 14
>
> I cannot create replica file.
> It work on the upgraded server, but it doesn't work on the newly
> installed server.
> I'm not sure if this causes your patches which modifies the
> ca-installer, or the newer version of dogtag.
>
> Or if there was any other changes in master, I will continue to
> investigate with new RPM from master branch.
>
> Martin^2
>
ipa-replica-prepare works for:
* master branch
* master branch + pki-ca 10.2.4-1
So something in your patches is breaking it
Martin^2
--
Martin Basti
More information about the Freeipa-devel
mailing list