Re: [Freeipa-devel] [PATCH] 348 Remove misleading authorization error message in cert-request with --add

Martin Kosek Wed, 08 Oct 2014 00:25:07 -0700

On 10/07/2014 06:48 PM, Jan Cholasta wrote:
> Hi,
> 
> the attached patch fixes <https://fedorahosted.org/freeipa/ticket/4540>.
> 
> The error message is now the generic ACI error message, e.g. "Insufficient
> access: Insufficient 'add' privilege to add the entry
> 'krbprincipalname=something/somehost.example....@example.com,cn=services,cn=accounts,dc=example,dc=com'.
> 
> "
> 
> Honza


Yup, simpler is better in this case. The certmonger tracker seems easier to
understand to me now:

# ipa-getcert list -i 20141008071708
Number of certificates and requests being tracked: 9.
Request ID '20141008071708':
        status: CA_REJECTED
        ca-error: Server at https://ipa.mkosek-fedora20.test/ipa/xml denied our
request, giving up: 2100 (RPC failed at server.  Insufficient access:
Insufficient 'add' privilege to add the entry
'krbprincipalname=test/ipa.mkosek-fedora20.t...@mkosek-fedora20.test,cn=services,cn=accounts,dc=mkosek-fedora20,dc=test'.).
        stuck: yes
        key pair storage:
type=NSSDB,location='/etc/httpd/nssdb',nickname='Server-Cert',token='NSS
Certificate DB'
        certificate: 
type=NSSDB,location='/etc/httpd/nssdb',nickname='Server-Cert'
        CA: IPA
        issuer:
        subject:
        expires: unknown
        pre-save command:
        post-save command:
        track: yes
        auto-renew: yes


ACK. Pushed to:
master: 8e602eaf46b71ad8f713f549d6a823c70567bb22
ipa-4-1: ed5ffbfd75f3f1a62581c50a2c64d9e75fc74081
ipa-4-0: 80da03a2169de3a78edec42c1eab1f87734f49a7

Martin

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 348 Remove misleading authorization error message in cert-request with --add

Reply via email to