[Freeipa-devel] [PATCH 0004-0012] Automatic CSR generation

Ben Lipton blipton at redhat.com
Tue Aug 16 17:30:02 UTC 2016 

On 08/10/2016 08:52 AM, Ben Lipton wrote:
> The pull request at https://github.com/LiptonB/freeipa/pull/4/commits 
> has been brought up to date (with a force push), and also includes 3 
> more patches, described below.
>
> The patchset is also attached. To make sure that everything applies, I 
> just regenerated the whole set, though there may not be meaningful 
> changes.
>
After a discussion about how to address some of the concerns that have 
been voiced about this project, there have been some changes to the 
project direction. So, I wanted to provide an update about what the 
plans are. If you have objections or feel that I'm not representing it 
correctly, please let me know.

Since we have yet to see all the ways people will want to use this 
feature, the immediate goal is to provide something that we can iterate 
on. To make this easier, we will avoid storing rule data on the server 
or modifying the server schema, as those changes would need to be 
supported long term/handled correctly on update. I plan to approach this 
as follows:
- Separate the provider of mapping rules into a separate component from 
the generation of a config based on those rules
- Build an alternative rule provider that reads local files rather than 
querying IPA
- Move the implementation of CSR config formatting from the server API 
into a library (where should this go? ipalib? ipapython?), and then 
provide a client-side command that builds a config using the library.
- Templates for at least two profiles ("user" profile with 
CN=<username>,<subject_base> subject and email address SAN, "service" 
profile with CN=<fqdn>,<subject_base> subject and DNS SAN) will be 
provided. Users will be able to build custom profiles by putting files 
in the appropriate directories on their client machines (but we will not 
guarantee backward compatibility for the format of these files).
- If we decide to move forward with storing rules on the server, the 
library call can be referenced from the server code, using the rule 
provider that pulls rules from the API. However, at that point we may 
also go in the direction of making automatic cert generation fully the 
responsibility of Dogtag, and keep the CSR-generation approach 
client-side only.

Comments welcome! Unless the changes are more complex than I anticipate, 
I hope to have a prototype of this approach for review by the end of 
this week.

Ben

More information about the Freeipa-devel mailing list