On 06/18/2015 10:45 AM, Ade Lee wrote: > In order for IPA to use some new functionality in Profile Management and > Sub CAs, we need to add some additional schema to the Dogtag LDAP > instance. > > Fraser has written a Dogtag upgrade script to do this upgrade, but this > script expects the DM password to be in password.conf. Some discussion > on this script can be found here .. > https://www.redhat.com/archives/pki-devel/2015-June/msg00054.html > > In general, I think that while Dogtag will provide a database upgrade > framework and/or upgrade LDIF scripts, we will not - in general - know > how to connect to the DB with a user that has credentials to make schema > changes. > > Fortunately, these types of changes are rare. Note that in all the > years Dogtag has been part of IPA, this is the first time this situation > has arisen. > > The question now though is - how can we co-ordinate with IPA to make > this change? This question may have both a short term (for this > particular change) and long term answer.
What about using LDAPI and autobind functionality? If the upgrade script is run locally as root, then it can autobind to "cn=Directory Manager" without requiring a password. Thanks, -NGK > > Thanks, > Ade > -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code