On Thu, May 31, 2018 at 10:10:07PM -0400, Rob Crittenden via FreeIPA-devel wrote: > Fraser Tweedale via FreeIPA-devel wrote: > > On Thu, May 31, 2018 at 11:17:51AM -0400, Rob Crittenden via FreeIPA-devel > > wrote: > >> Standa Laznicka via FreeIPA-devel wrote: > >>> Hello people of the freeipa-devel channel, > >>> > >>> Let me share a design that proposes a way of automating the way FreeIPA > >>> replicas would be promoted to become a CRL master. Since the > >>> configuration cannot be dynamically altered by modifying an entry in the > >>> LDAP database, the proposal is to create an ipa-advise extension that > >>> could handle this operation instead for now. Read all about it in the > >>> attachement. > >>> > >> > >> This makes sense to me. > >> > >> I wonder if we should reflect the current CRL master in LDAP somehow, as > >> a role perhaps. This way one could look to see whether one is assigned > >> or not. > >> > >> The downside is that this could easily get stale, for example if the CRL > >> master server was lost in some way. But it would provide more visibility > >> into which master is the CRL master and could be used to prevent/warn a > >> user if they try to set multiple. > >> > >> rob > >> > > Unless Dogtag is actually configuring itself based on this > > hypothetical LDAP configuration, then it's still easy for the Dogtag > > configuration to get out of sync with what we have recorded about > > the CRL master. > > Absolutely right. I'm a bit torn if it is a good idea or not myself. > > It would be a check on someone running the script on all masters though. > > There is a risk of a false sense of security if no masters are > generating a CRL but then again, if your masters aren't generating a CRL > and you don't notice then you aren't using the CRL in the first place. > > > There is a Dogtag ticket for moving CRL configuration into LDAP: > > https://pagure.io/dogtagpki/issue/1262. But the work has not been > > scheduled. > > Nice, good to know. Once agreed-upon this should be added to the design > page on the wiki. > It's part of a broader desire to move configuration into the DB. There are several related tickets (see https://pagure.io/dogtagpki/issue/2586 for a list). If/when it happens it will probably be a big effort with collaborative design, of which the CRL configuration will just be one use case.
Cheers, Fraser _______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-devel@lists.fedorahosted.org/message/DNKHYRH5VI6NYPRBCAPMYA4H7ZA3NVA4/
