I have to do some pretty low-level LDAP work to achieve this. Since we can't read the key using our modlist generator won't work and lots of tricks would be needed to use the LDAPUpdate object in any case. The alternative is to add a function to the ldap2 backend that achieves this, or something similar like 'delete_attrs'. I just didn't see a general case for it.
I pulled usercertificate out of the global params and put into each appropriate function because it makes no sense for service-disable.
I added tests to verify that the certificate we issue is found in the service. This also double-checks that the service commands actually return certificate data.
_______________________________________________ Freeipa-devel mailing list Freeipaemail@example.com https://www.redhat.com/mailman/listinfo/freeipa-devel