Server-less subsystem user/group management.

[pki-bot]

This issue was migrated from Pagure Issue #1574. Originally filed by edewata (@edewata) on 2015-08-19 22:33:13:

• Assigned to nobody

---

The current pki tool provides a way to manage subsystem users/groups via REST interface. However, the tool only works if the subsystem being managed is running and accessible. Sometimes the subsystem may be down or inaccessible due to authentication issue (e.g. expired certificates, missing or misconfigured users/groups) so the admin is locked out. In those cases there should be a tool to fix the subsystem users/groups directly in the database.

One solution is to provide pki-server user/group commands similar to pki user/group commands except that it does not require a running server and it can only be run locally by root. Instead of calling the REST interface on PKI server, the tool will read the database password stored in password.conf to access the database directly.

The tool can be used to fix the following issues:

• fixing user certificate mapping: https://fedorahosted.org/pki/ticket/1551
• restoring missing user: https://bugzilla.redhat.com/show_bug.cgi?id=1225589

Proposed milestone: 10.3

[pki-bot]

Comment from edewata (@edewata) at 2015-08-25 18:15:09

Per discussion with alee and simo5, the pki-server user/group commands may be needed to simplify future IPA installations. It may also use LDAPI instead of Directory Manager's password (see ticket 1585). The tool may also create audit logs as if the operations were done via regular pki user/group commands.

[pki-bot]

Comment from edewata (@edewata) at 2015-08-26 18:57:05

Related IPA tickets:

• https://fedorahosted.org/freeipa/ticket/5253
• https://fedorahosted.org/freeipa/ticket/5257

[pki-bot]

Comment from edewata (@edewata) at 2017-02-27 14:01:44

Metadata Update from @edewata:

• Issue set to the milestone: UNTRIAGED