[Freeipa-devel] [PATCH] 304 hosts requesting certificates
Rob Crittenden
rcritten at redhat.com
Tue Nov 3 14:37:10 UTC 2009
Jason Gerard DeRose wrote:
> On Wed, 2009-10-28 at 17:41 -0400, Rob Crittenden wrote:
>> I had originally implemented allowing a host to request certificates for
>> other hosts using the requesting IP address. That was a pretty lousy way
>> to do it.
>>
>> This patch uses the DS ACI system instead. We came up with a clever ACI
>> that lets hosts listed in the managedBy attribute in the service modify
>> the userCertificate attribute. So you can use this to delegate which
>> hosts can request certificates for which services, even for other machines.
>>
>> I also re-ordered the request_certificate() method a bit. We want all
>> the service work done before we do the certificate request. It was
>> previously adding the service after the cert request was done. This
>> could mean a failed request if the requestor isn't allowed to add
>> services. But it is also too late because the cert had already been issued.
>>
>> I documented how this works a bit at
>> http://www.freeipa.org/page/Certificate_Authority
>>
>> rob
>
> I'm having problems applying this patch:
>
> error: install/share/60basev2.ldif: patch does not apply
>
It was because the syntax of the fqdn attribute in 60basev2.ldif changed
and it was in the context of this patch. New patch attached.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-304-2-cert.patch
Type: application/mbox
Size: 12393 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20091103/e10680ae/attachment.mbox>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20091103/e10680ae/attachment.bin>
More information about the Freeipa-devel
mailing list