Discussion for devs: once this is merged should I updated all the
included service-oriented profiles (e.g. caCAcert; not user or CA
cert profiles) to add this profile component?
IMO we should do it, but we should not automatically update existing
installations. Instead, we (I) can produce a KBase article about
using the new component.
Let me know what you think.
Cheers,
Fraser
On Thu, Feb 02, 2017 at 12:46:30PM -0700, Matthew Harmsen wrote:
On 02/01/2017 12:25 AM, Fraser Tweedale wrote:
> Hi all,
>
> The attached patches implement the long-desired feature to copy CN
> to SubjectAltName (
https://fedorahosted.org/pki/ticket/1710).
>
> I've also pushed the branch to my GitHub repo; feel free to review
> the patches there:
>
https://github.com/frasertweedale/pki/commits/feature/1710-cn-to-san
>
> Thanks,
> Fraser
>
>
> _______________________________________________
> Pki-devel mailing list
> Pki-devel(a)redhat.com
>
https://www.redhat.com/mailman/listinfo/pki-devel
Fraser,
In order to review this patch, I am going to apply it and make a scratch
build of Dogtag 10.2.6 on RHEL 7.2 so that Red Hat IT can test it out for
us.
If they give us their approval, you can consider yourself granted an ACK on
this patch and check it into master so that I can cherry-pick it into the
10.3 branches.
-- Matt
P. S. - FYI, the following conversation took place on #cs today:
<mharmsen> dminnich,walrus: ftweedal has released a patch for
https://fedorahosted.org/pki/ticket/1710 - Add profile component
that copies CN to SAN -- if I applied that patch to a 10.3.3
pki-core for RHEL 7.3, could you guys test it out, or in order to
test it out, do you need a scratch build of Dogtag 10.2.6 on RHEL
7.2 like last time?
<walrus> mharmsen: having a scratch build of 7.2 would be quickest
<walrus> we are just now planning the 7.3 upgrade, which will take
some time to get into dev
<mharmsen> walrus: okay, I can try to see if I can do that, but
remember that we will not deliver an official RHEL 7.2 build of RHCS 9.1
<walrus> yeah we should be on 7.3 in a month or so... a lot of
things to test on a lot of servers :)
<walrus> csnell|wfh: ^^^
<mharmsen> walrus: completely understood! LOL
<dminnich> mharmsen: that will be a very welcome patch
<dminnich> mharmsen: do you happen to know if ACLs work against SANs?
<mharmsen> dminnich: not off the top of my head
<mharmsen> edewata, cfu, jmagne: ^^^?
<dminnich> that is something on our to investigate list as well
<mharmsen> dminnich: I am going to drop an email to ftweedal, and I
will ask that question
<edewata> mharmsen: no idea about SAN
<jmagne> mharmsen, don't know
<cfu> dminnich, mharmsen , what does that mean?
<dminnich> cfu: right now we allow only people in LDAP group X to
issue certs for domains that meet Y regex. but we don't check
SANs. so somebody could
CN=blah.devlab.com and get approved but add
a SAN for
www.redhat.com and we don't deny it
<edewata> dminnich: where is X & Y defined?
<dminnich>
https://gitolite.corp.redhat.com/cgit/puppet-cfg/modules/rhcs.git/tree/te...
https://gitolite.corp.redhat.com/cgit/puppet-cfg/modules/rhcs.git/tree/te...
<dminnich> edewata: ^ some of that might be added by puppet later. but
thats the gist
<edewata> dminnich: ok, it's in profile, not ACL
<dminnich> authz.acl=group and constraints
<cfu> dminnich, dminnich ah, I see. so it's like a pattern
constraint just like what we have for subject name now in the
profile. Yeah, you can write a constraint plugin for that
<cfu> dminnich, anyway, feel free to file a ticket for it.
<dminnich> cfu: will do