URL: https://github.com/freeipa/freeipa/pull/694
Title: #694: RFC: implement local PKINIT deployment in server/replica install

abbra commented:
I agree that it is internal detail whether we use local pkinit or not. However, 
we need to know that it is existing as oposed to not existing at all for older 
systems where we are going to perform upgrades. However, as you can derive this 
information by presence or lack of actual KDC certificate file in the file 
system during upgrade, this can be reduced, indeed.

One more detail: we already have pkinit plugin (`ipaserver/plugins/pkinit.py`) 
which has `ipa pkinit-anonymous enable/disable` command. This command cannot 
now be used because even for 'local' case we require anonymous PKINIT to be 
usable and this means we cannot disable the principal.

Perhaps, you can remove this command and add instead `ipa pkinit-status` 
command to show the status? It would show list of KDCs and their status.


See the full comment at 
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to