[Freeipa-devel] [PATCHES 0001-0013 v5] Profiles and CA ACLs
Fraser Tweedale
ftweedal at redhat.com
Fri May 29 04:17:54 UTC 2015
On Thu, May 28, 2015 at 02:42:53PM +0200, Martin Basti wrote:
> On 28/05/15 11:48, Martin Basti wrote:
> >On 27/05/15 16:04, Fraser Tweedale wrote:
> >>Hello all,
> >>
> >>Fresh certificate management patchset; Changelog:
> >>
> >>- Now depends on patch freeipa-ftweedal-0014 for correct
> >>cert-request behaviour with host and service principals.
> >>
> >>- Updated Dogtag dependency to 10.2.4-1. Should should be in
> >>f22 soon, but for f22 right now or for f21, please grab from my
> >>copr: https://copr.fedoraproject.org/coprs/ftweedal/freeipa/
> >>
> >> Martin^1 could you please add to the quasi-official freeipa
> >> copr? SRPM lives at
> >> https://frase.id.au/pki-core-10.2.4-1.fc21.src.rpm.
> >>
> >>- cert-request now verifies that for user principals, CSR CN
> >>matches uid and, DN emailAddress and SAN rfc822Name match user's
> >>email address, if either of those is present.
> >>
> >>- Fixed one or two other sneaky little bugs.
> >>
> >>On Wed, May 27, 2015 at 01:59:30AM +1000, Fraser Tweedale wrote:
> >>>Hi all,
> >>>
> >>>Please find attached the latest certificate management
> >>>patchset, which introduces the `caacl' plugin and various fixes
> >>>and improvement to earlier patches.
> >>>
> >>>One important change to earlier patches is reverting the name
> >>>of the default profile to 'caIPAserviceCert' and using the
> >>>existing instance of this profile on upgrade (but not install)
> >>>in case it has been modified.
> >>>
> >>>Other notes:
> >>>
> >>>- Still have changes in ipa-server-install (fewer lines now,
> >>>though)
> >>>
> >>>- Still have the ugly import hack. It is not a high priority
> >>>for me, i.e. I think it should wait until after alpha
> >>>
> >>>- Still need to update 'service' and 'host' plugins to support
> >>>multiple certificates. (The userCertificate attribute schema
> >>>itself is multi-valued, so there are no schema issues here)
> >>>
> >>>- The TODOs in [1]; mostly certprofile CLI conveniences and
> >>>supporting multiple profiles for hosts and services (which
> >>>requires changes to framework only, not schema). [1]:
> >>>http://idm.etherpad.corp.redhat.com/rhel72-cert-mgmt-progress
> >>>
> >>>Happy reviewing! I am pleased with the initial cut of the
> >>>caacl plugin but I'm sure you will find some things to be fixed
> >>>:)
> >>>
> >>>Cheers, Fraser
> >
> >[root at vm-093 ~]# ipa-replica-prepare vm-094.example.com
> >--ip-address 10.34.78.94 Directory Manager (existing master)
> >password:
> >
> >Preparing replica for vm-094.example.com from vm-093.example.com
> >Creating SSL certificate for the Directory Server not well-formed
> >(invalid token): line 2, column 14
> >
> >I cannot create replica file. It work on the upgraded server,
> >but it doesn't work on the newly installed server. I'm not sure
> >if this causes your patches which modifies the ca-installer, or
> >the newer version of dogtag.
> >
> >Or if there was any other changes in master, I will continue to
> >investigate with new RPM from master branch.
> >
> >Martin^2
> >
> ipa-replica-prepare works for: * master branch * master branch +
> pki-ca 10.2.4-1
>
> So something in your patches is breaking it
>
> Martin^2
>
Martin, master + my patches with pki 10.2.4-1 is working for me on
f21 and f22. Can you provide ipa-replica-prepare --debug output and
Dogtag debug log? ( /var/log/pki/pki-tomcat/ca/debug )
Thanks,
Fraser
More information about the Freeipa-devel
mailing list