On Tue, 2009-11-03 at 09:37 -0500, Rob Crittenden wrote: > Jason Gerard DeRose wrote: > > On Wed, 2009-10-28 at 17:41 -0400, Rob Crittenden wrote: > >> I had originally implemented allowing a host to request certificates for > >> other hosts using the requesting IP address. That was a pretty lousy way > >> to do it. > >> > >> This patch uses the DS ACI system instead. We came up with a clever ACI > >> that lets hosts listed in the managedBy attribute in the service modify > >> the userCertificate attribute. So you can use this to delegate which > >> hosts can request certificates for which services, even for other machines. > >> > >> I also re-ordered the request_certificate() method a bit. We want all > >> the service work done before we do the certificate request. It was > >> previously adding the service after the cert request was done. This > >> could mean a failed request if the requestor isn't allowed to add > >> services. But it is also too late because the cert had already been issued. > >> > >> I documented how this works a bit at > >> http://www.freeipa.org/page/Certificate_Authority > >> > >> rob > > > > I'm having problems applying this patch: > > > > error: install/share/60basev2.ldif: patch does not apply > > > > It was because the syntax of the fqdn attribute in 60basev2.ldif changed > and it was in the context of this patch. New patch attached. > > rob
ack. pushed to master. _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel