On Thu, Sep 05, 2013 at 10:28:36AM +0200, Jan Cholasta wrote: > On 3.9.2013 18:16, Dmitri Pal wrote: > >On 09/02/2013 04:49 AM, Petr Spacek wrote: > >>On 22.8.2013 15:43, Jan Cholasta wrote: > >>>Hi, > >>> > >>>I'm currently investigating support for multiple CA certificates in LDAP > >>>(<https://fedorahosted.org/freeipa/ticket/3259>, > >>><https://fedorahosted.org/freeipa/ticket/3520>). This will be useful > >>>for CA > >>>certificate renewal (<https://fedorahosted.org/freeipa/ticket/3304>, > >>><https://fedorahosted.org/freeipa/ticket/3737>) and using > >>>certificates issued > >>>by custom CAs for IPA HTTP and directory server instances > >>>(<https://fedorahosted.org/freeipa/ticket/3641>). > >>> > >>>The biggest issue is how to make IPA clients aware of CA certificate > >>>changes. > >>>One of the tickets suggests polling the LDAP server from SSSD. Would > >>>that be > >>>sufficient? Perhaps a combination of polling and detecting > >>>certificate changes > >>>when connecting to LDAP would be better? > >>> > >>>Another issue is how to handle updating IPA systems with new CA > >>>certificate(s). On clients it is probably sufficient to store the > >>>certificate(s) in /etc/ipa/ca.crt, but on servers there are multiple > >>>places > >>>where the update needs to be done (HTTP and directory server NSS > >>>databases, > >>>KDC pkinit_anchors file, etc.). IMO doing all this from SSSD is > >>>unrealistic, > >>>so there should be a way to do this externally. The simplest thing > >>>that comes > >>>to mind is that SSSD would execute an external script to do the > >>>update when it > >>>detects changes, but I'm not sure how well would that work with > >>>SELinux in the > >>>picture. Is there a better way to do this? > >> > >>It reminds me problems with key-rotation for DNSSEC. > >> > >>Could we find common problems and use the same/similar solution for > >>both problems? > >> > >>An extension for certmonger? Oddjob? Or a completely new daemon? > >> > >Certmonger already has a way to: > >1) Check things periodically > >2) Hand certs in different places > >3) Run post op scripts > > > >IMO it is a good candidate but I would leave it to Nalin to chime in. > > > > I would expect more things that require periodic checking on clients > beyond certificates to come in the future, so I'm not sure if doing > this in certmonger is the right thing to do. Also, SSSD already does > a similar thing for realm domains, right? > > Honza
Sorry, didn't notice the "sssd" keyword until now. Yes, we re-check and update domains every 30 seconds and right after startup as well. _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel