Martin Kosek wrote: > On 06/13/2014 02:55 PM, Simo Sorce wrote: >> On Fri, 2014-06-13 at 09:05 +0200, Martin Kosek wrote: >>> On 06/12/2014 07:45 PM, Jan Cholasta wrote: >>> ... >>>> Note that automatic distribution of CA certificates to IPA systems is not >>>> implemented yet (it's planned for IPA 4.2, see >>>> <https://fedorahosted.org/freeipa/ticket/4322>), so /etc/ipa/ca.crt, >>>> /etc/pki/nssdb, /etc/dirsrv/slapd-REALM and /etc/httpd/alias are updated >>>> *only* >>>> during client/server install. >>>> >>>> Honza >>> >>> For 4.0, we will need to come up with manual procedure how to renew the >>> certificates *without* reinstalling the client or server. >>> >>> I think the best way would be to prepare a simple script to renew >>> client/server, something like >>> >>> /usr/share/ipa/ipa-renew-client-certificate >>> /usr/share/ipa/ipa-renew-server-certificate >> >> I assume you mean /usr/bin or /usr/libexec/ipa ? > > Right, that's better. I think we do not want to store it in /usr/bin as fully > supported scripts as I would feel obliged to keep that scripts supported and > around even when automatic renewal is available in FreeIPA 4.2. > > So maybe /usr/libexec/ipa would be better.
I guess it depends on what our expectations of user's running this are. If it is basically sample code, then yeah, /usr/share may be ok. If it's something supported we expect some people to run, /usr/[s]bin is probably the place. /usr/libexec is for binaries run by other programs IIRC. rob _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
