On 11.5.2016 11:22, Fraser Tweedale wrote:
Hi,

Re: Bug 1327092 - URI details missing and OCSP-URI details are
incorrectly displayed when certificate generated using IPA.

This issue occurs when replica installation overwrites the existing
IPA version of the caIPAserviceCert profile with the version shipped
with Dogtag.  My patch 0057 prevents the issue from occuring but
does not repair installations where the problem already happened.

For repair, one possibility is to detect when this has occured, and
re-import the IPA version of the profile.  IMO this would be quite
brittle, e.g. if the profile shipped with Dogtag changes or if user
has made other changes to the profile it may no longer work.

I propose to add a new option to ``ipa certprofile-mod`` which can
be used to restore profiles shipped with IPA to a "pristine" state.
This would allow admins of affected installations to run a single
command to repair the profile, but I think it is an independently
useful feature, e.g. if admin messes up a profile but didn't keep a
backup of the original config, they can easily get back to the
original state.

The new option would only be applicable to included profiles (error
otherwise).  I suggest it be called ``--reset``.  Example usage:

    ipa certprofile-mod caIPAserviceCert --reset

All comments welcome!

NACK,

1) This is a separate operation, so it should be a separate command.

2) I don't think it is generally a good idea to have a command which relies on some file being existent or having expected content on all replicas.

3) I would rather avoid adding new commands just to work around bugs. IMO "certprofile-import caIPAserviceCert /usr/share/ipa/profiles/caIPAserviceCert.cfg" should be good enough in this case.

Honza

--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to