Add API to delete a service principal key, service-disable. This is so an admin can essentially revoke a service principal without deleting it.

I have to do some pretty low-level LDAP work to achieve this. Since we can't read the key using our modlist generator won't work and lots of tricks would be needed to use the LDAPUpdate object in any case. The alternative is to add a function to the ldap2 backend that achieves this, or something similar like 'delete_attrs'. I just didn't see a general case for it.

I pulled usercertificate out of the global params and put into each appropriate function because it makes no sense for service-disable.

I added tests to verify that the certificate we issue is found in the service. This also double-checks that the service commands actually return certificate data.


Attachment: freeipa-479-service.patch
Description: application/mbox

Freeipa-devel mailing list

Reply via email to