On Wed, 2009-10-28 at 17:41 -0400, Rob Crittenden wrote:
> I had originally implemented allowing a host to request certificates for 
> other hosts using the requesting IP address. That was a pretty lousy way 
> to do it.
> This patch uses the DS ACI system instead. We came up with a clever ACI 
> that lets hosts listed in the managedBy attribute in the service modify 
> the userCertificate attribute. So you can use this to delegate which 
> hosts can request certificates for which services, even for other machines.
> I also re-ordered the request_certificate() method a bit. We want all 
> the service work done before we do the certificate request. It was 
> previously adding the service after the cert request was done. This 
> could mean a failed request if the requestor isn't allowed to add 
> services. But it is also too late because the cert had already been issued.
> I documented how this works a bit at 
> http://www.freeipa.org/page/Certificate_Authority
> rob

I'm having problems applying this patch:

error: install/share/60basev2.ldif: patch does not apply

Freeipa-devel mailing list

Reply via email to