[Freeipa-devel] #5881 / bz1327092 ; fixing broken caIPAserviceCert profile
Martin Kosek
mkosek at redhat.com
Thu May 12 14:14:28 UTC 2016
On 05/12/2016 12:56 AM, Fraser Tweedale wrote:
> On Wed, May 11, 2016 at 04:36:34PM +0200, Jan Cholasta wrote:
>> On 11.5.2016 15:04, Fraser Tweedale wrote:
>>> On Wed, May 11, 2016 at 01:31:36PM +0200, Jan Cholasta wrote:
...
>>>> 3) I would rather avoid adding new commands just to work around bugs. IMO
>>>> "certprofile-import caIPAserviceCert
>>>> /usr/share/ipa/profiles/caIPAserviceCert.cfg" should be good enough in this
>>>> case.
>>>>
>>> As discussed above, I'm afraid it is not, unless users manually do
>>> the substitutions. If we provide some code to do the substitutions,
>>> we have essentially reach what I have proposed.
>>>
>>> Other suggestions are welcome.
>>>
>>> BTW, there is another option I did not already mention: do nothing
>>> in code, and help users on a case-by-case basis / point them to a
>>> guide / KB article?
>>
>> This option is my favorite :-) (If automatic fix during upgrade is indeed
>> out of the picture.)
>>
> Martin, if the profile is incorrect, do we have to fix it
> automatically? What are our obligations / customer expectations
> here?
I would love to hear customer expectations, but in that case you should ask the
users/customers, not me :-) But having documented procedure in a KB/wiki
article how to fix a broken profile seems as a good enough for me, we can build
the API command later if we see a pressing need.
Martin
More information about the Freeipa-devel
mailing list