[Freeipa-devel] [PATCH 0004-0012] Automatic CSR generation

Ben Lipton blipton at redhat.com
Wed Jul 27 17:06:09 UTC 2016 

Hi all,

I think the automatic CSR generation feature 
(https://fedorahosted.org/freeipa/ticket/4899, 
http://www.freeipa.org/page/V4/Automatic_Certificate_Request_Generation) 
is stable enough to review now. The following are summaries of the 
attached patches:
0004: LDAP schema changes for the new feature
0005: Basic API for new objects and CSR generation
0006: Update install automation to create some default mapping rules
0007: Implement the lookups and text processing that generates the CSR 
config
0008 and 0009: Implement some actual transformation rules so that the 
feature is usable
0010: Add a new cert profile for user certs, with mappings
0011: Implement import/export of cert profiles with mappings
0012: Tests for profile import/export

Generally speaking, later patches depend on earlier ones, but I don't 
anticipate any problems from committing earlier patches without later ones.

If you prefer, you can also comment on the pull request version: 
https://github.com/LiptonB/freeipa/pull/4. Note that I may force push on 
this branch.

Allocation of OIDs for schema change also needs review: 
https://code.engineering.redhat.com/gerrit/#/c/80061/

Known issues:
- When the requested principal does not have some of the requested data, 
produces funny-looking configs with extra commas, empty sections, etc. 
They are still accepted by my copies of openssl and certutil, but they 
look ugly.
- The new objects don't have any ACIs, so for the moment only admin can 
run the new commands.
- Does not yet have support for prompting user for field values, so 
currently all data must come from the database.
- All processing happens on the server side. As discussed in a previous 
thread, it would be desirable to break this out into a library so it 
could be used client-side.

Very excited to hear your thoughts!
Ben
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-blipton-0004-Add-schema-to-support-automatic-CSR-generation.patch
Type: text/x-patch
Size: 6055 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20160727/73788a0b/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-blipton-0005-Add-plugin-for-CSR-generation.patch
Type: text/x-patch
Size: 20581 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20160727/73788a0b/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-blipton-0006-Add-generation-rules-to-the-default-cert-profile.patch
Type: text/x-patch
Size: 8002 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20160727/73788a0b/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-blipton-0007-Add-code-to-support-generating-configs-using-mapping.patch
Type: text/x-patch
Size: 10906 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20160727/73788a0b/attachment-0003.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-blipton-0008-Add-jinja2-templates-and-macros-to-support-generatin.patch
Type: text/x-patch
Size: 7032 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20160727/73788a0b/attachment-0004.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-blipton-0009-Add-jinja2-transformation-rules-for-caIPAserviceCert.patch
Type: text/x-patch
Size: 6222 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20160727/73788a0b/attachment-0005.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-blipton-0010-Add-a-new-cert-profile-for-users.patch
Type: text/x-patch
Size: 9460 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20160727/73788a0b/attachment-0006.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-blipton-0011-Add-ability-to-import-export-mappings-with-profile.patch
Type: text/x-patch
Size: 15515 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20160727/73788a0b/attachment-0007.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-blipton-0012-Add-tests-for-mapping-rules-import-export.patch
Type: text/x-patch
Size: 18905 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20160727/73788a0b/attachment-0008.bin>

More information about the Freeipa-devel mailing list