[Freeipa-devel] [PATCHES 0001-0013 v5] Profiles and CA ACLs

Fri May 29 09:21:52 UTC 2015

On 29/05/15 06:17, Fraser Tweedale wrote:
> On Thu, May 28, 2015 at 02:42:53PM +0200, Martin Basti wrote:
>> On 28/05/15 11:48, Martin Basti wrote:
>>> On 27/05/15 16:04, Fraser Tweedale wrote:
>>>> Hello all,
>>>>
>>>> Fresh certificate management patchset; Changelog:
>>>>
>>>> - Now depends on patch freeipa-ftweedal-0014 for correct
>>>> cert-request behaviour with host and service principals.
>>>>
>>>> - Updated Dogtag dependency to 10.2.4-1.  Should should be in
>>>> f22 soon, but for f22 right now or for f21, please grab from my
>>>> copr: https://copr.fedoraproject.org/coprs/ftweedal/freeipa/
>>>>
>>>>    Martin^1 could you please add to the quasi-official freeipa
>>>>    copr?  SRPM lives at
>>>>    https://frase.id.au/pki-core-10.2.4-1.fc21.src.rpm.
>>>>
>>>> - cert-request now verifies that for user principals, CSR CN
>>>> matches uid and, DN emailAddress and SAN rfc822Name match user's
>>>> email address, if either of those is present.
>>>>
>>>> - Fixed one or two other sneaky little bugs.
>>>>
>>>> On Wed, May 27, 2015 at 01:59:30AM +1000, Fraser Tweedale wrote:
>>>>> Hi all,
>>>>>
>>>>> Please find attached the latest certificate management
>>>>> patchset, which introduces the `caacl' plugin and various fixes
>>>>> and improvement to earlier patches.
>>>>>
>>>>> One important change to earlier patches is reverting the name
>>>>> of the default profile to 'caIPAserviceCert' and using the
>>>>> existing instance of this profile on upgrade (but not install)
>>>>> in case it has been modified.
>>>>>
>>>>> Other notes:
>>>>>
>>>>> - Still have changes in ipa-server-install (fewer lines now,
>>>>> though)
>>>>>
>>>>> - Still have the ugly import hack.  It is not a high priority
>>>>> for me, i.e. I think it should wait until after alpha
>>>>>
>>>>> - Still need to update 'service' and 'host' plugins to support
>>>>> multiple certificates.  (The userCertificate attribute schema
>>>>> itself is multi-valued, so there are no schema issues here)
>>>>>
>>>>> - The TODOs in [1]; mostly certprofile CLI conveniences and
>>>>> supporting multiple profiles for hosts and services (which
>>>>> requires changes to framework only, not schema).  [1]:
>>>>> http://idm.etherpad.corp.redhat.com/rhel72-cert-mgmt-progress
>>>>>
>>>>> Happy reviewing!  I am pleased with the initial cut of the
>>>>> caacl plugin but I'm sure you will find some things to be fixed
>>>>> :)
>>>>>
>>>>> Cheers, Fraser
>>> [root at vm-093 ~]#  ipa-replica-prepare vm-094.example.com
>>> --ip-address 10.34.78.94 Directory Manager (existing master)
>>> password:
>>>
>>> Preparing replica for vm-094.example.com from vm-093.example.com
>>> Creating SSL certificate for the Directory Server not well-formed
>>> (invalid token): line 2, column 14
>>>
>>> I cannot create replica file.  It work on the upgraded server,
>>> but it doesn't work on the newly installed server.  I'm not sure
>>> if this causes your patches which modifies the ca-installer, or
>>> the newer version of dogtag.
>>>
>>> Or if there was any other changes in master, I will continue to
>>> investigate with new RPM from master branch.
>>>
>>> Martin^2
>>>
>> ipa-replica-prepare works for: * master branch * master branch +
>> pki-ca 10.2.4-1
>>
>> So something in your patches is breaking it
>>
>> Martin^2
>>
> Martin, master + my patches with pki 10.2.4-1 is working for me on
> f21 and f22.  Can you provide ipa-replica-prepare --debug output and
> Dogtag debug log?  ( /var/log/pki/pki-tomcat/ca/debug )
>
> Thanks,
> Fraser
I can not reproduce it today. And I already recycled the VMs from 
yesterday. :-(

-- 
Martin Basti