[Pki-devel] profile constraint being replaced with NoConstraint

Hi all, I've been chipping away at the profile changes required for https://fedorahosted.org/freeipa/ticket/2915. I've encountered a problem where the EKU extension constraint is being replaced by NoConstraint for validation. The profile does read the constraint correctly, i.e. it appears in the "Manage Certificate Profiles" table in the web UI, but when it comes to performing the validation, it is instead using ``com.netscape.cms.profile.constraint.NoConstraint``. I am using a modified caServerCert profile; the only changed part being: policyset.serverCertSet.7.constraint.class_id=extendedKeyUsageExtConstraintImpl policyset.serverCertSet.7.constraint.name=Extended Key Usage Extension policyset.serverCertSet.7.constraint.params.exKeyUsageCritical=false policyset.serverCertSet.7.constraint.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default policyset.serverCertSet.7.default.params.exKeyUsageCritical=false policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 (This change was made to the caServerCert profile). This is occurring on master (989e5d3). A minimal patch that adds the logging which demonstrates this behaviour (for me) is attached. Any help in understanding this behaviour is appreciated :) Cheers, Fraser