Re: [Freeipa-devel] [PATCH] 304 hosts requesting certificates
On Tue, 2009-11-03 at 09:37 -0500, Rob Crittenden wrote: > Jason Gerard DeRose wrote: > > On Wed, 2009-10-28 at 17:41 -0400, Rob Crittenden wrote: > >> I had originally implemented allowing a host to request certificates for > >> other hosts using the requesting IP address. That was a pretty lousy way > >> to do it. > >> > >> This patch uses the DS ACI system instead. We came up with a clever ACI > >> that lets hosts listed in the managedBy attribute in the service modify > >> the userCertificate attribute. So you can use this to delegate which > >> hosts can request certificates for which services, even for other machines. > >> > >> I also re-ordered the request_certificate() method a bit. We want all > >> the service work done before we do the certificate request. It was > >> previously adding the service after the cert request was done. This > >> could mean a failed request if the requestor isn't allowed to add > >> services. But it is also too late because the cert had already been issued. > >> > >> I documented how this works a bit at > >> http://www.freeipa.org/page/Certificate_Authority > >> > >> rob > > > > I'm having problems applying this patch: > > > > error: install/share/60basev2.ldif: patch does not apply > > > > It was because the syntax of the fqdn attribute in 60basev2.ldif changed > and it was in the context of this patch. New patch attached. > > rob ack. pushed to master. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 304 hosts requesting certificates
Jason Gerard DeRose wrote: On Wed, 2009-10-28 at 17:41 -0400, Rob Crittenden wrote: I had originally implemented allowing a host to request certificates for other hosts using the requesting IP address. That was a pretty lousy way to do it. This patch uses the DS ACI system instead. We came up with a clever ACI that lets hosts listed in the managedBy attribute in the service modify the userCertificate attribute. So you can use this to delegate which hosts can request certificates for which services, even for other machines. I also re-ordered the request_certificate() method a bit. We want all the service work done before we do the certificate request. It was previously adding the service after the cert request was done. This could mean a failed request if the requestor isn't allowed to add services. But it is also too late because the cert had already been issued. I documented how this works a bit at http://www.freeipa.org/page/Certificate_Authority rob I'm having problems applying this patch: error: install/share/60basev2.ldif: patch does not apply It was because the syntax of the fqdn attribute in 60basev2.ldif changed and it was in the context of this patch. New patch attached. rob freeipa-304-2-cert.patch Description: application/mbox smime.p7s Description: S/MIME Cryptographic Signature ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 304 hosts requesting certificates
On Wed, 2009-10-28 at 17:41 -0400, Rob Crittenden wrote: > I had originally implemented allowing a host to request certificates for > other hosts using the requesting IP address. That was a pretty lousy way > to do it. > > This patch uses the DS ACI system instead. We came up with a clever ACI > that lets hosts listed in the managedBy attribute in the service modify > the userCertificate attribute. So you can use this to delegate which > hosts can request certificates for which services, even for other machines. > > I also re-ordered the request_certificate() method a bit. We want all > the service work done before we do the certificate request. It was > previously adding the service after the cert request was done. This > could mean a failed request if the requestor isn't allowed to add > services. But it is also too late because the cert had already been issued. > > I documented how this works a bit at > http://www.freeipa.org/page/Certificate_Authority > > rob I'm having problems applying this patch: error: install/share/60basev2.ldif: patch does not apply ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 304 hosts requesting certificates
I had originally implemented allowing a host to request certificates for other hosts using the requesting IP address. That was a pretty lousy way to do it. This patch uses the DS ACI system instead. We came up with a clever ACI that lets hosts listed in the managedBy attribute in the service modify the userCertificate attribute. So you can use this to delegate which hosts can request certificates for which services, even for other machines. I also re-ordered the request_certificate() method a bit. We want all the service work done before we do the certificate request. It was previously adding the service after the cert request was done. This could mean a failed request if the requestor isn't allowed to add services. But it is also too late because the cert had already been issued. I documented how this works a bit at http://www.freeipa.org/page/Certificate_Authority rob freeipa-304-cert.patch Description: application/mbox smime.p7s Description: S/MIME Cryptographic Signature ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
