On 09/13/2013 10:51 AM, Jan Cholasta wrote: > On 5.9.2013 10:28, Jan Cholasta wrote: >> On 3.9.2013 18:16, Dmitri Pal wrote: >>> On 09/02/2013 04:49 AM, Petr Spacek wrote: >>>> On 22.8.2013 15:43, Jan Cholasta wrote: >>>>> Hi, >>>>> >>>>> I'm currently investigating support for multiple CA certificates in >>>>> LDAP >>>>> (<https://fedorahosted.org/freeipa/ticket/3259>, >>>>> <https://fedorahosted.org/freeipa/ticket/3520>). This will be useful >>>>> for CA >>>>> certificate renewal (<https://fedorahosted.org/freeipa/ticket/3304>, >>>>> <https://fedorahosted.org/freeipa/ticket/3737>) and using >>>>> certificates issued >>>>> by custom CAs for IPA HTTP and directory server instances >>>>> (<https://fedorahosted.org/freeipa/ticket/3641>). >>>>> >>>>> The biggest issue is how to make IPA clients aware of CA certificate >>>>> changes. >>>>> One of the tickets suggests polling the LDAP server from SSSD. Would >>>>> that be >>>>> sufficient? Perhaps a combination of polling and detecting >>>>> certificate changes >>>>> when connecting to LDAP would be better? >>>>> >>>>> Another issue is how to handle updating IPA systems with new CA >>>>> certificate(s). On clients it is probably sufficient to store the >>>>> certificate(s) in /etc/ipa/ca.crt, but on servers there are multiple >>>>> places >>>>> where the update needs to be done (HTTP and directory server NSS >>>>> databases, >>>>> KDC pkinit_anchors file, etc.). IMO doing all this from SSSD is >>>>> unrealistic, >>>>> so there should be a way to do this externally. The simplest thing >>>>> that comes >>>>> to mind is that SSSD would execute an external script to do the >>>>> update when it >>>>> detects changes, but I'm not sure how well would that work with >>>>> SELinux in the >>>>> picture. Is there a better way to do this? >>>> >>>> It reminds me problems with key-rotation for DNSSEC. >>>> >>>> Could we find common problems and use the same/similar solution for >>>> both problems? >>>> >>>> An extension for certmonger? Oddjob? Or a completely new daemon? >>>> >>> Certmonger already has a way to: >>> 1) Check things periodically >>> 2) Hand certs in different places >>> 3) Run post op scripts >>> >>> IMO it is a good candidate but I would leave it to Nalin to chime in. >>> >> >> I would expect more things that require periodic checking on clients >> beyond certificates to come in the future, so I'm not sure if doing this >> in certmonger is the right thing to do. Also, SSSD already does a >> similar thing for realm domains, right?
Are you suggesting extending SSSD to handle that? >> >> Honza >> > > So, does anyone have any strong opinions on this? Not at this point. BTW, is there any reason why we cannot go the simple way and just utilize cron and a script? Previously we just dropped conf to /etc/cron.d for ipa-compliance script and it worked quite well. Martin _______________________________________________ Freeipa-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-devel
