On 06/18/2015 10:45 AM, Ade Lee wrote:
> In order for IPA to use some new functionality in Profile Management and
> Sub CAs, we need to add some additional schema to the Dogtag LDAP
> Fraser has written a Dogtag upgrade script to do this upgrade, but this
> script expects the DM password to be in password.conf. Some discussion
> on this script can be found here ..
> In general, I think that while Dogtag will provide a database upgrade
> framework and/or upgrade LDIF scripts, we will not - in general - know
> how to connect to the DB with a user that has credentials to make schema
> Fortunately, these types of changes are rare. Note that in all the
> years Dogtag has been part of IPA, this is the first time this situation
> has arisen.
> The question now though is - how can we co-ordinate with IPA to make
> this change? This question may have both a short term (for this
> particular change) and long term answer.
What about using LDAPI and autobind functionality? If the upgrade
script is run locally as root, then it can autobind to "cn=Directory
Manager" without requiring a password.
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code