[Freeipa-devel] [PATCHES 0001-0011 v3] Profile management

Martin Basti mbasti at redhat.com
Thu May 21 12:31:45 UTC 2015 

On 21/05/15 14:16, Martin Basti wrote:
> On 20/05/15 16:41, Fraser Tweedale wrote:
>> Hi Honza, Martin et al,
>>
>> Latest patches attached.  On top of previous patches (most review
>> matters addressed**) patches 0008..0011 add support for profiles and
>> user certificates to `ipa cert-request'.
>>
>> ** those that were not are being tracked at [1]; please add anything
>>     I missed.
>>
>> Some points to note:
>>
>> - usercertificate is not yet a multi-valued attribute for users,
>>    hosts and services.
>>
>>    QUESTION - we do want to allow multiple certificates for all
>>    principal types, not just users?  Or have I got that wrong.
>>
>> - "DN and SAN match principal" checks are not implemented for users
>>    yet.
>>
>> - ACL was added to allow user principals to request their own
>>    certificates, however, this will be further subject to CA/profile
>>    ACLs which are to come.
>>
>> - Pursuant to [2] revocation logic was removed from `cert-request'
>>
>> [1] http://idm.etherpad.corp.redhat.com/rhel72-cert-mgmt-progress
>> [2] 
>> http://www.freeipa.org/page/V4/User_Certificates#Revocation_of_the_Certificates
>>
>> Thanks,
>> Fraser
> I tried upgrade and:
>
> Updating managed permissions for certprofile
> Upgrade failed with targetattr "ipacertprofilestoreissued" does not 
> exist in schema. Please add attributeTypes "ipacertprofilestoreissued" 
> to schema if necessary. ACL Syntax Error(-5):(targetattr = \22cn || 
> description || ipacertprofilestoreissued\22)(targetfilter = 
> \22(objectclass=ipacertprofile)\22)(version 3.0;acl 
> \22permission:System: Modify Certificate Profile\22;allow (write) 
> groupdn = \22ldap:///cn=System: Modify Certificate 
> Profile,cn=permissions,cn=pbac,dc=abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com\22;): 
> Invalid syntax.
>   [error] RuntimeError: targetattr "ipacertprofilestoreissued" does 
> not exist in schema. Please add attributeTypes 
> "ipacertprofilestoreissued" to schema if necessary. ACL Syntax 
> Error(-5):(targetattr = \22cn || description || 
> ipacertprofilestoreissued\22)(targetfilter = 
> \22(objectclass=ipacertprofile)\22)(version 3.0;acl 
> \22permission:System: Modify Certificate Profile\22;allow (write) 
> groupdn = \22ldap:///cn=System: Modify Certificate 
> Profile,cn=permissions,cn=pbac,dc=abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com\22;): 
> Invalid syntax.
>   [cleanup]: stopping directory server
>   [cleanup]: restoring configuration
>
> I cannot find  the "ipacertprofilestoreissued" in any IPA schema file.
>
> Did I miss something?
>
>
Sorry, I found it, stupid me.
I will investigate why upgrade failed then.

-- 
Martin Basti

More information about the Freeipa-devel mailing list