[Freeipa-devel] Reasons for not using certmonger DBus API
Jan Cholasta
jcholast at redhat.com
Wed Jul 30 14:28:50 UTC 2014
Dne 30.7.2014 v 15:51 David Kupka napsal(a):
> On 07/23/2014 03:45 PM, Nalin Dahyabhai wrote:
>> On Wed, Jul 23, 2014 at 10:12:39AM +0200, Martin Kosek wrote:
>>> Certmonger API looked complete enough to pull this off:
>>> https://git.fedorahosted.org/cgit/certmonger.git/tree/doc/api.txt
>>>
>>> If I am wrong, please tell me.
>>
>> No, it's meant to be complete -- the getcert command only uses the APIs
>> to talk to the daemon, so they provide at least what it needs.
>>
>> Two words of caution:
>> * That file's manually maintained, so it might not completely reflect
>> what's available. The introspection data's generated at runtime, so
>> if you poke the service with an introspection request, or using
>> d-feet, which does so under the covers, you might spot discrepancies.
>> It probably goes without saying, but please report any that you find.
>> * The majority of properties are currently marked read-only, and you
>> currently have to use the 'modify' API request to change them. Mostly
>> this is a result of 'getcert' not having needed anything more than
>> that, and properties having been added after the initial versions, so
>> it's not set in stone.
>>
>> HTH,
>>
>> Nalin
>>
> In fact it is almost enough complete for us. The only operation I can't
> find is 'write ca_external_helper'.
> add_principal_to_cas and remove_principal_from_cas are modifying this
> entry in ca file. Certmonger provide 'get_location' DBus method that
> returns value of this entry but I can't find any 'set_location' method,
> writable property or other way to modify it over DBus.
> Am I searching wrong? If not I looked in certmonger code and think that
> I will be able to add the missing functionality. But I'm unsure what is
> the preferred way, I can think of two:
> 1. set_location method
> 2. read-write location/ca_external_helper property
>
These two functions are used to force local hostname in certmonger. IMO
the right thing to do here would be to drop these two functions and fix
ipa-submit so that it reads the required configuration from
/etc/ipa/default.conf.
--
Jan Cholasta
More information about the Freeipa-devel
mailing list