On Tue, 2015-06-02 at 12:04 +0200, Jan Cholasta wrote:
> Dne 2.6.2015 v 02:02 Endi Sukma Dewata napsal(a):
> > On 5/28/2015 12:46 AM, Jan Cholasta wrote:
> >>> On a related note, since KRA is optional, can we move the vaults
> >>> container to cn=kra,cn=vaults? This is the convetion used by the other
> >>> optional components (DNS and recently CA).
> >>
> >> I mean cn=vaults,cn=kra of course.
> >
> > If you are talking about the o=kra,<PKI suffix>, I'm not sure whether
> > the IPA framework will work with it.
> >
> > If you are talking about adding a new cn=kra,<IPA suffix> entry on top
> > of cn=vaults, what is the purpose of this entry? Is the entry going to
> > be created/deleted automatically when the KRA is installed/removed? Is
> > it going to be used for something else other than vaults?
> I'm talking about cn=kra,<IPA suffix>. It should be created only when 
> KRA is installed, although I think this can be done later after the 
> release, moving vaults to cn=kra should be good enough for now. It's 
> going to be used for everything KRA-specific.
> >
> > There are a lot of questions that need to be answered before we can make
> > this change.
> This is about sticking to a convention, which everyone should do, and 
> everyone except KRA already does.
> I'm sorry I didn't realize this earlier, but the change must be done now.
> > We probably should revisit this issue after the core vault
> > functionality is added.
> >
> We can't revisit it later because after release we are stuck with 
> whatever is there forever.
> See attachment for a patch which implements the change.

Shouldn't we s/kra/vault/ ?
After all the feature is called Vault, not KRA.


Simo Sorce * Red Hat, Inc * New York

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to