On 08/10/2016 08:52 AM, Ben Lipton wrote:
The pull request at https://github.com/LiptonB/freeipa/pull/4/commits has been brought up to date (with a force push), and also includes 3 more patches, described below.

The patchset is also attached. To make sure that everything applies, I just regenerated the whole set, though there may not be meaningful changes.

After a discussion about how to address some of the concerns that have been voiced about this project, there have been some changes to the project direction. So, I wanted to provide an update about what the plans are. If you have objections or feel that I'm not representing it correctly, please let me know.

Since we have yet to see all the ways people will want to use this feature, the immediate goal is to provide something that we can iterate on. To make this easier, we will avoid storing rule data on the server or modifying the server schema, as those changes would need to be supported long term/handled correctly on update. I plan to approach this as follows: - Separate the provider of mapping rules into a separate component from the generation of a config based on those rules - Build an alternative rule provider that reads local files rather than querying IPA - Move the implementation of CSR config formatting from the server API into a library (where should this go? ipalib? ipapython?), and then provide a client-side command that builds a config using the library. - Templates for at least two profiles ("user" profile with CN=<username>,<subject_base> subject and email address SAN, "service" profile with CN=<fqdn>,<subject_base> subject and DNS SAN) will be provided. Users will be able to build custom profiles by putting files in the appropriate directories on their client machines (but we will not guarantee backward compatibility for the format of these files). - If we decide to move forward with storing rules on the server, the library call can be referenced from the server code, using the rule provider that pulls rules from the API. However, at that point we may also go in the direction of making automatic cert generation fully the responsibility of Dogtag, and keep the CSR-generation approach client-side only.

Comments welcome! Unless the changes are more complex than I anticipate, I hope to have a prototype of this approach for review by the end of this week.


Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to