Dne 3.6.2015 v 14:58 Endi Sukma Dewata napsal(a):
On 6/2/2015 1:34 PM, Simo Sorce wrote:
On Tue, 2015-06-02 at 12:04 +0200, Jan Cholasta wrote:
Dne 2.6.2015 v 02:02 Endi Sukma Dewata napsal(a):
On 5/28/2015 12:46 AM, Jan Cholasta wrote:
On a related note, since KRA is optional, can we move the vaults
container to cn=kra,cn=vaults? This is the convetion used by the
optional components (DNS and recently CA).

I mean cn=vaults,cn=kra of course.

If you are talking about the o=kra,<PKI suffix>, I'm not sure whether
the IPA framework will work with it.

If you are talking about adding a new cn=kra,<IPA suffix> entry on top
of cn=vaults, what is the purpose of this entry? Is the entry going to
be created/deleted automatically when the KRA is installed/removed? Is
it going to be used for something else other than vaults?

I'm talking about cn=kra,<IPA suffix>. It should be created only when
KRA is installed, although I think this can be done later after the
release, moving vaults to cn=kra should be good enough for now. It's
going to be used for everything KRA-specific.

There are a lot of questions that need to be answered before we can
this change.

This is about sticking to a convention, which everyone should do, and
everyone except KRA already does.

I'm sorry I didn't realize this earlier, but the change must be done

We probably should revisit this issue after the core vault
functionality is added.

We can't revisit it later because after release we are stuck with
whatever is there forever.

See attachment for a patch which implements the change.

Shouldn't we s/kra/vault/ ?
After all the feature is called Vault, not KRA.


Here are the options:
1. the original code uses "cn=vaults,<IPA suffix>".
2. Honza proposed "cn=vaults,cn=kra,<IPA suffix>", ACKed by Martin.

Are you proposing a third option "cn=vaults,cn=vault,<IPA suffix>" or
did you mean the first option?

I think the first option would make more sense since we're not
introducing KRA to the end user, but I'll let the IPA team decide. My
next patch will be based on whatever pushed at the time.

The DNs are not exposed to the end user, they are only relevant for our internal organization of entries.

Jan Cholasta

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to