[Freeipa-devel] [PATCH] 479 add service-disable command
Rob Crittenden
rcritten at redhat.com
Fri Jul 9 14:41:41 UTC 2010
Rob Crittenden wrote:
> Add API to delete a service principal key, service-disable. This is so
> an admin can essentially revoke a service principal without deleting it.
>
> I have to do some pretty low-level LDAP work to achieve this. Since we
> can't read the key using our modlist generator won't work and lots of
> tricks would be needed to use the LDAPUpdate object in any case. The
> alternative is to add a function to the ldap2 backend that achieves
> this, or something similar like 'delete_attrs'. I just didn't see a
> general case for it.
>
> I pulled usercertificate out of the global params and put into each
> appropriate function because it makes no sense for service-disable.
>
> I added tests to verify that the certificate we issue is found in the
> service. This also double-checks that the service commands actually
> return certificate data.
>
> rob
>
We need a similar functionality for hosts so I'm going to pull back this
patch and do both at once. I'm going to move the magic that does the key
deletion into ldap2 to make for a very simple call within the plugins.
rob
More information about the Freeipa-devel
mailing list