The current pki tool provides a way to manage subsystem users/groups via REST interface. However, the tool only works if the subsystem being managed is running and accessible. Sometimes the subsystem may be down or inaccessible due to authentication issue (e.g. expired certificates, missing or misconfigured users/groups) so the admin is locked out. In those cases there should be a tool to fix the subsystem users/groups directly in the database.
One solution is to provide pki-server user/group commands similar to pki user/group commands except that it does not require a running server and it can only be run locally by root. Instead of calling the REST interface on PKI server, the tool will read the database password stored in password.conf to access the database directly.
The tool can be used to fix the following issues:
Proposed milestone: 10.3
Per discussion with alee and simo, the pki-server user/group commands may be needed to simplify future IPA installations. It may also use LDAPI instead of Directory Manager's password (see ticket #1585). The tool may also create audit logs as if the operations were done via regular pki user/group commands.
Related IPA tickets:
Metadata Update from @edewata: - Issue set to the milestone: UNTRIAGED
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/2133
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Metadata Update from @dmoluguw: - Issue close_status updated to: migrated - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.