Currently, even if a principal has permission to write the userCertificate attribute of principal(s), cert-request will deny certificate issuance unless there is a caacl rule allowing it. This affects even admin.
Add a permission that suppresses caacl enforcement in cert-request, of which admin is a member.
Discussion on freeipa-devel: https://www.redhat.com/archives/freeipa-devel/2015-July/msg00110.html
didn't go trough proper triage
attachment freeipa-ftweedal-0030-Add-permission-for-bypassing-CA-ACL-enforcement.patch
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1250145
master:
ipa-4-2:
Metadata Update from @ftweedal: - Issue assigned to ftweedal - Issue set to the milestone: FreeIPA 4.2.1
Login to comment on this ticket.