On 05/21/2015 05:33 PM, Martin Basti wrote:
On 20/05/15 16:41, Fraser Tweedale wrote:
Hi Honza, Martin et al,
Latest patches attached. On top of previous patches (most review
matters addressed**) patches 0008..0011 add support for profiles and
user certificates to `ipa cert-request'.
** those that were not are being tracked at [1]; please add anything
I missed.
Some points to note:
- usercertificate is not yet a multi-valued attribute for users,
hosts and services.
It should be multivalued now, for all 3 entities.
QUESTION - we do want to allow multiple certificates for all
principal types, not just users? Or have I got that wrong.
You have that right (unless I miss something).
Changing schema can cause issues in future, we already burn ourselves several
times.
If you plan to have multi valued attribute in close future, could be better to
have mutltivalued schema now, instead of make this change in future?
+1. In general, it is better to do the schema right from the day 0, temporary
limitations should be rather solved in framework - that is easier to change.
- "DN and SAN match principal" checks are not implemented for users
yet.
- ACL was added to allow user principals to request their own
certificates, however, this will be further subject to CA/profile
ACLs which are to come.
- Pursuant to [2] revocation logic was removed from `cert-request'
[1] http://idm.etherpad.corp.redhat.com/rhel72-cert-mgmt-progress
[2]
http://www.freeipa.org/page/V4/User_Certificates#Revocation_of_the_Certificates
Thanks,
Fraser
Thank you too.
Martin
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
