[Freeipa-devel] Who can make the CA requests
Dmitri Pal
dpal at redhat.com
Fri Dec 12 22:33:14 UTC 2008
Dmitri Pal wrote:
> Hi,
>
> Based on the feedback there is a new version of the CA integration
> design page http://www.freeipa.org/page/Certificate_Management.
>
The page has been updated once more.
The following changes have been made:
a) We defer the server side key generation use case
b) We acknowledge that the command interfaces and python pluggble
interface suggested are not complete. They do not take into the account
out plan to allow issuing certs to services rather than just to hosts
c) The object class was turned to structural
d) We will use "member" attribute to point to the default group of users
that can perform the certificate operations. It is my default listed as
managed by referential integrity plugin. We can also use "manager" or
"owner". The manager attribute so far is not listed in the ref integrity
plugin. Should it? Is it a bug?
e) We will use a special system account for CA to connect to DS.
Did I miss anything?
The only open issue so far is to check the publishing and unpublishing
of the certificates into a multi value attribute.
Andrew please perform these tests. You can just use extensible object on
any entry and try publishing and unpublishing a certificate. If you have
any questions about schema please ask Nathan.
Thank you
Dmitri
> Thank you
> Dmitri
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
More information about the Freeipa-devel
mailing list