On 21/05/15 14:16, Martin Basti wrote:
On 20/05/15 16:41, Fraser Tweedale wrote:
Hi Honza, Martin et al,

Latest patches attached.  On top of previous patches (most review
matters addressed**) patches 0008..0011 add support for profiles and
user certificates to `ipa cert-request'.

** those that were not are being tracked at [1]; please add anything
    I missed.

Some points to note:

- usercertificate is not yet a multi-valued attribute for users,
   hosts and services.

   QUESTION - we do want to allow multiple certificates for all
   principal types, not just users?  Or have I got that wrong.

- "DN and SAN match principal" checks are not implemented for users
   yet.

- ACL was added to allow user principals to request their own
   certificates, however, this will be further subject to CA/profile
   ACLs which are to come.

- Pursuant to [2] revocation logic was removed from `cert-request'

[1] http://idm.etherpad.corp.redhat.com/rhel72-cert-mgmt-progress
[2] http://www.freeipa.org/page/V4/User_Certificates#Revocation_of_the_Certificates

Thanks,
Fraser
I tried upgrade and:

Updating managed permissions for certprofile
Upgrade failed with targetattr "ipacertprofilestoreissued" does not exist in schema. Please add attributeTypes "ipacertprofilestoreissued" to schema if necessary. ACL Syntax Error(-5):(targetattr = \22cn || description || ipacertprofilestoreissued\22)(targetfilter = \22(objectclass=ipacertprofile)\22)(version 3.0;acl \22permission:System: Modify Certificate Profile\22;allow (write) groupdn = \22ldap:///cn=System: Modify Certificate Profile,cn=permissions,cn=pbac,dc=abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com\22;): Invalid syntax. [error] RuntimeError: targetattr "ipacertprofilestoreissued" does not exist in schema. Please add attributeTypes "ipacertprofilestoreissued" to schema if necessary. ACL Syntax Error(-5):(targetattr = \22cn || description || ipacertprofilestoreissued\22)(targetfilter = \22(objectclass=ipacertprofile)\22)(version 3.0;acl \22permission:System: Modify Certificate Profile\22;allow (write) groupdn = \22ldap:///cn=System: Modify Certificate Profile,cn=permissions,cn=pbac,dc=abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com\22;): Invalid syntax.
  [cleanup]: stopping directory server
  [cleanup]: restoring configuration

I cannot find  the "ipacertprofilestoreissued" in any IPA schema file.

Did I miss something?


Sorry, I found it, stupid me.
I will investigate why upgrade failed then.

--
Martin Basti

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to