[PATCH] 0021..0023 Minor cleanups
by Fraser Tweedale
I've been accumulating drive-by cleanups and other small supporting
changes during my sub-CAs work. To improve the signal-noise ratio
and reduce the burden of reviewing the feature, I'm going to submit
some of these cleanups separately for review/merge beforehand.
Here's the first few.
9 years
[PATCH] pki-cfu-0045-Ticket-1028-phase2-TPS-rewrite-provide-externalReg-f.patch
by Christina Fu
Please review.
This patch is the 2nd phase of the externalReg feature, it makes the
following improvements:
* added feature: recovery by keyid (v.s. by cert)
* fixed some auditing message errors
* added some missing ldapStringAttributes needed for delegation to work
properly
* added missing externalReg required config parameters
* made corrections to some externalReg related parameters to allow
delegation to work properly
* added handle of some error cases
* made sure externalReg enrollment does not go half-way (once fails,
bails out)
tested:
* enrollment of the three default TPS profiles (tokenTypes)
* format of the tokens enrolled with the three default tps profiles
* delegation enrollments
* cuid match check
next phase:
* cert/key retention (allow preserving existing certs/keys on the token)
note:
* some of the activity log and cert status related issues that are not
specifically relating to externalReg will be addressed in other more
relevant tickets.
thanks,
Christina
9 years
CLI for editing profiles
by Fraser Tweedale
Along with LDAP profiles, we will be adding modules to the CLI for
adding and editing profiles in the ConfigStore format that was used
for file-based profiles. For more info, see:
http://pki.fedoraproject.org/wiki/LDAP_Profile_Storage#Command-line_utili...
There is an existing CLI for adding and modifying profiles, in the
XML format, e.g. ``pki ca profile add caCustomProfile.xml``. The
XML format carries information including the profile ID and
class_id, but these data must be supplied out-of-band when dealing
with the ConfigStore format.
Because of this, I intend to:
- add new commands to the existing profile CLI for working with the
"raw" (i.e., ConfigStore) format, e.g. "edit-raw", "add-raw".
Where necessary, these commands will take compulsory
``--profile-id`` and/or ``--class-id`` arguments, to account for
the absense of such information in the profile ConfigStore format;
and
- transport this information in the XML format - not in the "raw"
format - so that it will be unnecessary to make changes to
ProfileClient or the ProfileService API.
As usual, I welcome feedback - especially if you feel I am going the
wrong way ^_^
9 years
[PATCH] pki-tomcatd fails to start on system boot
by Matthew Harmsen
Please review the attached patch which addresses the following issues:
* PKI TRAC Ticket #1315 - pki-tomcatd fails to start on system boot
<https://fedorahosted.org/pki/ticket/1315>
* PKI TRAC Ticket #1340 - pkidestroy should not remove /var/lib/pki
<https://fedorahosted.org/pki/ticket/1340>
Note that this was tested successfully on my Fedora 21 laptop.
After numerous re-writes in which I attempted to make it work on an
individual PKI instance (but not subsystems within a shared PKI
instance), I finally gave in and made it work as explained in the
'pki_default.cfg' man page.
The issue was that 'systemctl disable <instance>' not only removed the
desired symbolic link from
'/etc/systemd/system/multi-user.target.wants', but also caused the
deletion of the entire '/etc/systemd/system/pki-targetd.target.wants'
directory (which is owned by the pki-server package). Within PKI, this
directory and its internal symbolic link are always required for proper
operation, and it confused the system so badly, I was not able to
restore it by simply re-running 'systemctl enable <instance>'.
As the revised man page states, to manually disable PKI instances from
starting upon reboot, run 'systemctl disable pki-tomcatd.target', to
manually enable them, run 'systemctl enable pki-tomcatd.target'; no one
should ever run 'systemctl enable/disable <pki instance>' (nor for that
matter 'systemctl enable/disable <389 instance>') as this confuses the
system.
Additionally, this patch makes the change to 'infrastructure_layout.py'
to only create/remove the '/var/lib/pki' directory (owned by the
'pki-server' package) when it has been relocated using pkispawn's '-p
<prefix>' test parameter.
Finally, since another line was added to the final status report
produced at the end of 'pkispawn', I streamlined the spacing a bit in
this patch.
9 years
[PATCH] pki-ftweedal-0015-Monitor-database-for-changes-to-LDAP-profiles.patch
by Fraser Tweedale
This is the first cut of the LDAP profile change monitoring. It
depends on patches 0004..0009 and 0014
(https://www.redhat.com/archives/pki-devel/2014-September/msg00052.html).
To summarise the implementation: a separate thread carries out a
persistent LDAP search and calls back into the ProfileSubsystem when
changes occur. I haven't had much experience with persistent
searches or multithreaded programming in Java, so eyeballs familiar
with those areas are needed.
I haven't yet tested with changes replicating between clones (a task
for tomorrow) but I wanted to get the patch on list for feedback as
early as possible.
Cheers,
Fraser
9 years
