On Fri, Apr 17, 2015 at 10:03:45AM +0200, Jan Cholasta wrote: > Dne 17.4.2015 v 09:45 Fraser Tweedale napsal(a): > >On Fri, Apr 17, 2015 at 07:26:55AM +0200, David Kupka wrote: > >>On 04/16/2015 10:03 AM, Fraser Tweedale wrote: > >>>Hi everyone, > >>> > >>>Please review my Certificate Profiles design proposal: > >>>http://www.freeipa.org/page/V4/Certificate_Profiles > >>> > >>>Let me know what is unclear, what needs expansion, and what is plain > >>>wrong :) > >>> > >>>The schema for storing multiple certificates for a principal is > >>>still being discussed but I expect it will be agreed soon, and I > >>>will add it to the document. > >>> > >>>I am revising the sub-CAs design proposal and it will soon be > >>>published for review as well. > >>> > >>>Cheers, > >>>Fraser > >>> > >>Hi Fraser, > >>I've read the design page and even though I know only a little about Dogtag > >>it makes sense to me. > >> > >>Just a few notes: > >> > >>3.4 Retrieve profile - There was XML format twice (probably > >>copy-paste-forget to modify :-) I changed it, feel free to revert the change > >>if it was intentional. > >> > >>3.5 Delete profile - IMO the profile should be deleted when user requests > >>that. If the profile must be disabled before deleted do it as a part of > >>deletion. > >> > >>3.6 Enable/disable profile - When user request enabling/disabling of already > >>enabled/disabled profile there is no need to return an error. User wants it > >>to be enabled/disabled and it is, job done. > > Actually not, we raise AlreadyActive/AlreadyInactive in this case (see e.g. > selinuxusermap-enable). > Good to know - I haven't learned about the SELinux bits yet and probably wouldn't have found this.
> >> > >>5.2.1 CLI - I would change the command to 'ipa certprofile-add' to stay > >>consistent with rest of FreeIPA commands. > >> > >David, thanks for your input. 'certprofile-import' was chosen after > >discussion with Honza, based on the fact the profile already exists > >(as a file) and is being imported into the system. Jan, do you > >still agree with '-import'? What do other people think? > > Yes, it should be -import. -add is reserved for the case when the properties > of the profile are specified directly in command arguments, but in -import > they are read from the supplied file. > OK, -import it stays; thanks! > > > >Cheers, > >Fraser > > > > > -- > Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code