Open pki-bot opened 3 years ago
Comment from edewata (@edewata) at 2015-08-25 18:15:09
Per discussion with alee and simo5, the pki-server user/group commands may be needed to simplify future IPA installations. It may also use LDAPI instead of Directory Manager's password (see ticket 1585). The tool may also create audit logs as if the operations were done via regular pki user/group commands.
Comment from edewata (@edewata) at 2015-08-26 18:57:05
Related IPA tickets:
Comment from edewata (@edewata) at 2017-02-27 14:01:44
Metadata Update from @edewata:
This issue was migrated from Pagure Issue #1574. Originally filed by edewata (@edewata) on 2015-08-19 22:33:13:
The current pki tool provides a way to manage subsystem users/groups via REST interface. However, the tool only works if the subsystem being managed is running and accessible. Sometimes the subsystem may be down or inaccessible due to authentication issue (e.g. expired certificates, missing or misconfigured users/groups) so the admin is locked out. In those cases there should be a tool to fix the subsystem users/groups directly in the database.
One solution is to provide pki-server user/group commands similar to pki user/group commands except that it does not require a running server and it can only be run locally by root. Instead of calling the REST interface on PKI server, the tool will read the database password stored in password.conf to access the database directly.
The tool can be used to fix the following issues:
Proposed milestone: 10.3