[Freeipa-devel] [PATCHES 0001-0013 v5] Profiles and CA ACLs

Martin Basti mbasti at redhat.com
Thu May 28 12:42:53 UTC 2015 

On 28/05/15 11:48, Martin Basti wrote:
> On 27/05/15 16:04, Fraser Tweedale wrote:
>> Hello all,
>>
>> Fresh certificate management patchset; Changelog:
>>
>> - Now depends on patch freeipa-ftweedal-0014 for correct
>>    cert-request behaviour with host and service principals.
>>
>> - Updated Dogtag dependency to 10.2.4-1.  Should should be in f22
>>    soon, but for f22 right now or for f21, please grab from my copr:
>>    https://copr.fedoraproject.org/coprs/ftweedal/freeipa/
>>
>>    Martin^1 could you please add to the quasi-official freeipa copr?
>>    SRPM lives at https://frase.id.au/pki-core-10.2.4-1.fc21.src.rpm.
>>
>> - cert-request now verifies that for user principals, CSR CN matches
>>    uid and, DN emailAddress and SAN rfc822Name match user's email
>>    address, if either of those is present.
>>
>> - Fixed one or two other sneaky little bugs.
>>
>> On Wed, May 27, 2015 at 01:59:30AM +1000, Fraser Tweedale wrote:
>>> Hi all,
>>>
>>> Please find attached the latest certificate management patchset,
>>> which introduces the `caacl' plugin and various fixes and
>>> improvement to earlier patches.
>>>
>>> One important change to earlier patches is reverting the name of the
>>> default profile to 'caIPAserviceCert' and using the existing
>>> instance of this profile on upgrade (but not install) in case it has
>>> been modified.
>>>
>>> Other notes:
>>>
>>> - Still have changes in ipa-server-install (fewer lines now, though)
>>>
>>> - Still have the ugly import hack.  It is not a high priority for
>>>    me, i.e. I think it should wait until after alpha
>>>
>>> - Still need to update 'service' and 'host' plugins to support
>>>    multiple certificates.  (The userCertificate attribute schema
>>>    itself is multi-valued, so there are no schema issues here)
>>>
>>> - The TODOs in [1]; mostly certprofile CLI conveniences and
>>>    supporting multiple profiles for hosts and services (which
>>>    requires changes to framework only, not schema).
>>>    [1]: http://idm.etherpad.corp.redhat.com/rhel72-cert-mgmt-progress
>>>
>>> Happy reviewing!  I am pleased with the initial cut of the caacl
>>> plugin but I'm sure you will find some things to be fixed :)
>>>
>>> Cheers,
>>> Fraser
>
> [root at vm-093 ~]#  ipa-replica-prepare vm-094.example.com --ip-address 
> 10.34.78.94
> Directory Manager (existing master) password:
>
> Preparing replica for vm-094.example.com from vm-093.example.com
> Creating SSL certificate for the Directory Server
> not well-formed (invalid token): line 2, column 14
>
> I cannot create replica file.
> It work on the upgraded server, but it doesn't work on the newly 
> installed server.
> I'm not sure if this causes your patches which modifies the 
> ca-installer, or the newer version of dogtag.
>
> Or if there was any other changes in master, I will continue to 
> investigate with new RPM from master branch.
>
> Martin^2
>
ipa-replica-prepare works for:
* master branch
* master branch + pki-ca 10.2.4-1

So something in your patches is breaking it

Martin^2

-- 
Martin Basti

More information about the Freeipa-devel mailing list