Dne 3.6.2015 v 15:20 Simo Sorce napsal(a):
On Wed, 2015-06-03 at 09:27 +0200, Martin Kosek wrote:
On 06/02/2015 08:34 PM, Simo Sorce wrote:
On Tue, 2015-06-02 at 12:04 +0200, Jan Cholasta wrote:
Dne 2.6.2015 v 02:02 Endi Sukma Dewata napsal(a):
On 5/28/2015 12:46 AM, Jan Cholasta wrote:
On a related note, since KRA is optional, can we move the vaults
container to cn=kra,cn=vaults? This is the convetion used by the other
optional components (DNS and recently CA).

I mean cn=vaults,cn=kra of course.

If you are talking about the o=kra,<PKI suffix>, I'm not sure whether
the IPA framework will work with it.

If you are talking about adding a new cn=kra,<IPA suffix> entry on top
of cn=vaults, what is the purpose of this entry? Is the entry going to
be created/deleted automatically when the KRA is installed/removed? Is
it going to be used for something else other than vaults?

I'm talking about cn=kra,<IPA suffix>. It should be created only when
KRA is installed, although I think this can be done later after the
release, moving vaults to cn=kra should be good enough for now. It's
going to be used for everything KRA-specific.

There are a lot of questions that need to be answered before we can make
this change.

This is about sticking to a convention, which everyone should do, and
everyone except KRA already does.

I'm sorry I didn't realize this earlier, but the change must be done now.

We probably should revisit this issue after the core vault
functionality is added.

We can't revisit it later because after release we are stuck with
whatever is there forever.

See attachment for a patch which implements the change.

Shouldn't we s/kra/vault/ ?
After all the feature is called Vault, not KRA.

I thought we are naming it by the name of the optional subsystem, not the
feature itself. If for example, another feature from KRA is used, it would
still live in cn=kra, no?

For services so far we have CA, not dogtag, and LDAP, not 389ds, also
KDC not krb5kdc and kpasswd not kadmind, etc... we normally named
everything after the function. Now kra is probably a somewhat generic
term, but I have not been able to find what it means exactly in 5
minutes, and it is quite obscure as a name. OTOH cn=Vault would make it
really clear what's in it. I do not have a very strong opinion but a
generic and clear name is important for the DIT.

There is also ipa-kra-install and I guess cn=KRA,cn=<fqdn>,cn=masters,cn=ipa,cn=etc. If we rename it, it should be renamed everywhere, and I'm not sure if that's worth it.

Also "vault" is too generic, it should be "password vault", but that's too long, so IMO "KRA" is better, as it's short and descriptive.

Are vaults the only feature KRA provides? If there are more possible features provided by KRA, it's another reason to keep it "KRA".

Jan Cholasta

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to