On Wed, 2009-10-28 at 17:41 -0400, Rob Crittenden wrote: > I had originally implemented allowing a host to request certificates for > other hosts using the requesting IP address. That was a pretty lousy way > to do it. > > This patch uses the DS ACI system instead. We came up with a clever ACI > that lets hosts listed in the managedBy attribute in the service modify > the userCertificate attribute. So you can use this to delegate which > hosts can request certificates for which services, even for other machines. > > I also re-ordered the request_certificate() method a bit. We want all > the service work done before we do the certificate request. It was > previously adding the service after the cert request was done. This > could mean a failed request if the requestor isn't allowed to add > services. But it is also too late because the cert had already been issued. > > I documented how this works a bit at > http://www.freeipa.org/page/Certificate_Authority > > rob
I'm having problems applying this patch: error: install/share/60basev2.ldif: patch does not apply _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel