Jason Gerard DeRose wrote:
On Wed, 2009-10-28 at 17:41 -0400, Rob Crittenden wrote:I had originally implemented allowing a host to request certificates for other hosts using the requesting IP address. That was a pretty lousy way to do it.This patch uses the DS ACI system instead. We came up with a clever ACI that lets hosts listed in the managedBy attribute in the service modify the userCertificate attribute. So you can use this to delegate which hosts can request certificates for which services, even for other machines.I also re-ordered the request_certificate() method a bit. We want all the service work done before we do the certificate request. It was previously adding the service after the cert request was done. This could mean a failed request if the requestor isn't allowed to add services. But it is also too late because the cert had already been issued.I documented how this works a bit at http://www.freeipa.org/page/Certificate_AuthorityrobI'm having problems applying this patch: error: install/share/60basev2.ldif: patch does not apply
It was because the syntax of the fqdn attribute in 60basev2.ldif changed and it was in the context of this patch. New patch attached.
rob
freeipa-304-2-cert.patch
Description: application/mbox
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
