Fraser Tweedale via FreeIPA-devel wrote: > On Thu, May 31, 2018 at 11:17:51AM -0400, Rob Crittenden via FreeIPA-devel > wrote: >> Standa Laznicka via FreeIPA-devel wrote: >>> Hello people of the freeipa-devel channel, >>> >>> Let me share a design that proposes a way of automating the way FreeIPA >>> replicas would be promoted to become a CRL master. Since the >>> configuration cannot be dynamically altered by modifying an entry in the >>> LDAP database, the proposal is to create an ipa-advise extension that >>> could handle this operation instead for now. Read all about it in the >>> attachement. >>> >> >> This makes sense to me. >> >> I wonder if we should reflect the current CRL master in LDAP somehow, as >> a role perhaps. This way one could look to see whether one is assigned >> or not. >> >> The downside is that this could easily get stale, for example if the CRL >> master server was lost in some way. But it would provide more visibility >> into which master is the CRL master and could be used to prevent/warn a >> user if they try to set multiple. >> >> rob >> > Unless Dogtag is actually configuring itself based on this > hypothetical LDAP configuration, then it's still easy for the Dogtag > configuration to get out of sync with what we have recorded about > the CRL master.
Absolutely right. I'm a bit torn if it is a good idea or not myself. It would be a check on someone running the script on all masters though. There is a risk of a false sense of security if no masters are generating a CRL but then again, if your masters aren't generating a CRL and you don't notice then you aren't using the CRL in the first place. > There is a Dogtag ticket for moving CRL configuration into LDAP: > https://pagure.io/dogtagpki/issue/1262. But the work has not been > scheduled. Nice, good to know. Once agreed-upon this should be added to the design page on the wiki. rob _______________________________________________ FreeIPA-devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected]/message/W2753MBT5VBGI372TGTCMQRI3OK2VPZI/
