[Freeipa-devel] [PATCHES 0001-0013 v5] Profiles and CA ACLs

Fri May 29 11:03:46 UTC 2015

On 05/29/2015 11:21 AM, Martin Basti wrote:
> On 29/05/15 06:17, Fraser Tweedale wrote:
>> On Thu, May 28, 2015 at 02:42:53PM +0200, Martin Basti wrote:
>>> On 28/05/15 11:48, Martin Basti wrote:
>>>> On 27/05/15 16:04, Fraser Tweedale wrote:
>>>>> Hello all,
>>>>>
>>>>> Fresh certificate management patchset; Changelog:
>>>>>
>>>>> - Now depends on patch freeipa-ftweedal-0014 for correct
>>>>> cert-request behaviour with host and service principals.
>>>>>
>>>>> - Updated Dogtag dependency to 10.2.4-1.  Should should be in
>>>>> f22 soon, but for f22 right now or for f21, please grab from my
>>>>> copr: https://copr.fedoraproject.org/coprs/ftweedal/freeipa/
>>>>>
>>>>>    Martin^1 could you please add to the quasi-official freeipa
>>>>>    copr?  SRPM lives at
>>>>>    https://frase.id.au/pki-core-10.2.4-1.fc21.src.rpm.
>>>>>
>>>>> - cert-request now verifies that for user principals, CSR CN
>>>>> matches uid and, DN emailAddress and SAN rfc822Name match user's
>>>>> email address, if either of those is present.
>>>>>
>>>>> - Fixed one or two other sneaky little bugs.
>>>>>
>>>>> On Wed, May 27, 2015 at 01:59:30AM +1000, Fraser Tweedale wrote:
>>>>>> Hi all,
>>>>>>
>>>>>> Please find attached the latest certificate management
>>>>>> patchset, which introduces the `caacl' plugin and various fixes
>>>>>> and improvement to earlier patches.
>>>>>>
>>>>>> One important change to earlier patches is reverting the name
>>>>>> of the default profile to 'caIPAserviceCert' and using the
>>>>>> existing instance of this profile on upgrade (but not install)
>>>>>> in case it has been modified.
>>>>>>
>>>>>> Other notes:
>>>>>>
>>>>>> - Still have changes in ipa-server-install (fewer lines now,
>>>>>> though)
>>>>>>
>>>>>> - Still have the ugly import hack.  It is not a high priority
>>>>>> for me, i.e. I think it should wait until after alpha
>>>>>>
>>>>>> - Still need to update 'service' and 'host' plugins to support
>>>>>> multiple certificates.  (The userCertificate attribute schema
>>>>>> itself is multi-valued, so there are no schema issues here)
>>>>>>
>>>>>> - The TODOs in [1]; mostly certprofile CLI conveniences and
>>>>>> supporting multiple profiles for hosts and services (which
>>>>>> requires changes to framework only, not schema).  [1]:
>>>>>> http://idm.etherpad.corp.redhat.com/rhel72-cert-mgmt-progress
>>>>>>
>>>>>> Happy reviewing!  I am pleased with the initial cut of the
>>>>>> caacl plugin but I'm sure you will find some things to be fixed
>>>>>> :)
>>>>>>
>>>>>> Cheers, Fraser
>>>> [root at vm-093 ~]#  ipa-replica-prepare vm-094.example.com
>>>> --ip-address 10.34.78.94 Directory Manager (existing master)
>>>> password:
>>>>
>>>> Preparing replica for vm-094.example.com from vm-093.example.com
>>>> Creating SSL certificate for the Directory Server not well-formed
>>>> (invalid token): line 2, column 14
>>>>
>>>> I cannot create replica file.  It work on the upgraded server,
>>>> but it doesn't work on the newly installed server.  I'm not sure
>>>> if this causes your patches which modifies the ca-installer, or
>>>> the newer version of dogtag.
>>>>
>>>> Or if there was any other changes in master, I will continue to
>>>> investigate with new RPM from master branch.
>>>>
>>>> Martin^2
>>>>
>>> ipa-replica-prepare works for: * master branch * master branch +
>>> pki-ca 10.2.4-1
>>>
>>> So something in your patches is breaking it
>>>
>>> Martin^2
>>>
>> Martin, master + my patches with pki 10.2.4-1 is working for me on
>> f21 and f22.  Can you provide ipa-replica-prepare --debug output and
>> Dogtag debug log?  ( /var/log/pki/pki-tomcat/ca/debug )
>>
>> Thanks,
>> Fraser
> I can not reproduce it today. And I already recycled the VMs from yesterday. :-(
>

In that case I would suggest ACKing&pushing the patch and fixing the bug if it 
comes again. The tree may now be a bit unstable, given the number of patches 
going in.

My main motivation here is to unblock Fraser.

Thanks,
Martin