#5459 Default CA ACL rule is not created during ipa-replica-install
Closed: Fixed None Opened 3 years ago by mkosek.

When FreeIPA 4.2+ replica is being created out of older server (FreeIPA on RHEL-6 in the reported case), the default CA ACL rule is not being created as there is a worry that administrator deliberately deleted it and it would be added again during replica installation.

This however means, that services and hosts cannot request certificates after such upgrade via migration.

I expect majority of admins will be happy with the default rule as is, especially after migration from RHEL-6 to FreeIPA 4.2+. If admins really do not want it and click "delete", they should get error message like "This rule is managed by FreeIPA and cannot be deleted. Please disable it to make it ineffective".

That should give better migration experience while at the same time allowing admins disable the rule in rare cases.


master:

  • 6fe0a89 Do not erroneously reinit NSS in Dogtag interface
  • 620036d Add profiles and default CA ACL on migration

ipa-4-2:

  • 3cb7933 Do not erroneously reinit NSS in Dogtag interface
  • a2371f3 Add profiles and default CA ACL on migration

master:

  • 341406d disconnect ldap2 backend after adding default CA ACL profiles

ipa-4-2:

  • 0f39612 disconnect ldap2 backend after adding default CA ACL profiles

master:

  • ed830af do not disconnect when using existing connection to check default CA ACLs

ipa-4-2:

  • c5faaed do not disconnect when using existing connection to check default CA ACLs

Metadata Update from @mkosek:
- Issue assigned to ftweedal
- Issue set to the milestone: FreeIPA 4.2.4

2 years ago

Login to comment on this ticket.

Metadata