URL:
https://github.com/freeipa/freeipa/pull/823
Title: #823: ipa-kdb: reload certificate mapping rules periodically
sumit-bose commented:
"""
@dkupka, did you modify the rules so that PKINIT should fail or how did you test. I tried
to reproduce but according to the logs the rules are reloaded ever 5 minutes:
[root@ipa-devel-f25 tmp]# grep nitializ /var/log/krb5kdc.log
Jun 01 14:37:07 ipa-devel-f25.ipaf25.devel krb5kdc[20471](info): Initializing IPA
certauth plugin.
Jun 01 14:37:07 ipa-devel-f25.ipaf25.devel krb5kdc[20471](info): sss_certmap
initialized.
Jun 01 14:42:20 ipa-devel-f25.ipaf25.devel krb5kdc[20471](info): Initializing IPA
certauth plugin.
Jun 01 14:42:20 ipa-devel-f25.ipaf25.devel krb5kdc[20471](info): sss_certmap
initialized.
Jun 01 14:47:29 ipa-devel-f25.ipaf25.devel krb5kdc[20471](info): Initializing IPA
certauth plugin.
Jun 01 14:47:29 ipa-devel-f25.ipaf25.devel krb5kdc[20471](info): sss_certmap
initialized.
"""
See the full comment at
https://github.com/freeipa/freeipa/pull/823#issuecomment-305483776