[Freeipa-devel] [freeipa PR#694][comment] RFC: implement local PKINIT deployment in server/replica install
abbra
freeipa-github-notification at redhat.com
Thu Apr 20 11:34:10 UTC 2017
URL: https://github.com/freeipa/freeipa/pull/694
Title: #694: RFC: implement local PKINIT deployment in server/replica install
abbra commented:
"""
I agree that it is internal detail whether we use local pkinit or not. However, we need to know that it is existing as oposed to not existing at all for older systems where we are going to perform upgrades. However, as you can derive this information by presence or lack of actual KDC certificate file in the file system during upgrade, this can be reduced, indeed.
One more detail: we already have pkinit plugin (`ipaserver/plugins/pkinit.py`) which has `ipa pkinit-anonymous enable/disable` command. This command cannot now be used because even for 'local' case we require anonymous PKINIT to be usable and this means we cannot disable the principal.
Perhaps, you can remove this command and add instead `ipa pkinit-status` command to show the status? It would show list of KDCs and their status.
"""
See the full comment at https://github.com/freeipa/freeipa/pull/694#issuecomment-295696911
More information about the Freeipa-devel
mailing list