Title: #694: RFC: implement local PKINIT deployment in server/replica install
@abbra I received an interactive review from @HonzaCholasta today and he is not
very keen on idea of having ternary (absent/local/external/full) PKINIT
configuration. He suggests to only have it absent/off (local implementation)/on
and thus drop differentiation between PKINIT configured with IPA CA issued or
3rd party certificates. The main concern here is that the 'local' PKINIT
configuration is actually an implementation detail we should not leak to
clients, they should be only able to tell if it is configured for them or not.
If you look into the design page, the two states (full/external) behave the
same during replica installation and upgrade so the differentiation does not
bring much new information to the users. So a simple on/off switch (something
like pkinitStatus: off/on) could be enough and it could simplify the transition
and UX. What do you think?
See the full comment at
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code