URL: https://github.com/freeipa/freeipa/pull/823
Title: #823: ipa-kdb: reload certificate mapping rules periodically
MartinBasti commented:
"""
master:
* e8aed2524846f1cff3d09d676675f3b426178f60 ipa-kdb: reload certificate mapping
rules periodically
ipa-4-5:
* d59694a93c3a734915d4ac05bb4e02
URL: https://github.com/freeipa/freeipa/pull/823
Title: #823: ipa-kdb: reload certificate mapping rules periodically
sumit-bose commented:
"""
> @sumit-bose I got confused by "periodically" in title and "every 5 minutes"
> in description. It works as expected.
ah, yes, I'm sorry the wording is
URL: https://github.com/freeipa/freeipa/pull/823
Title: #823: ipa-kdb: reload certificate mapping rules periodically
dkupka commented:
"""
@sumit-bose I got confused by "periodically" in title and "every 5 minutes" in
description. It works as expected.
"""
See the full comment at
https://gith
URL: https://github.com/freeipa/freeipa/pull/823
Title: #823: ipa-kdb: reload certificate mapping rules periodically
sumit-bose commented:
"""
@dkupka, the reload only happens during processing the PKINIT request if the
rules are older than 5 minutes. It is not a timed event which runs all the
URL: https://github.com/freeipa/freeipa/pull/823
Title: #823: ipa-kdb: reload certificate mapping rules periodically
dkupka commented:
"""
@sumit-bose You're right but then there's ~6 hours gap where no reload
happened. I would expect that there would be one attempt to reload every 5
minutes.
URL: https://github.com/freeipa/freeipa/pull/823
Title: #823: ipa-kdb: reload certificate mapping rules periodically
sumit-bose commented:
"""
@dkupka, ah, this is a side effect of having multiple workers (3907-3912). The
IPA context is not share between the workers so each will load the certif
URL: https://github.com/freeipa/freeipa/pull/823
Title: #823: ipa-kdb: reload certificate mapping rules periodically
dkupka commented:
"""
@sumit-bose Yes, I added rule that should allow the user to kinit with
certificate. I tried and it worked. Then I modified the rule so it no longer
matched
URL: https://github.com/freeipa/freeipa/pull/823
Title: #823: ipa-kdb: reload certificate mapping rules periodically
sumit-bose commented:
"""
@dkupka, did you modify the rules so that PKINIT should fail or how did you
test. I tried to reproduce but according to the logs the rules are reloaded
URL: https://github.com/freeipa/freeipa/pull/823
Title: #823: ipa-kdb: reload certificate mapping rules periodically
dkupka commented:
"""
@sumit-bose Works suspiciously well. I would expect some delay (up to 5
minutes) between modifying the rule and the change being effective but there's
none