On Thu, Jun 18, 2015 at 11:02:03AM -0700, Nathan Kinder wrote:
> On 06/18/2015 10:45 AM, Ade Lee wrote:
> > In order for IPA to use some new functionality in Profile Management and
> > Sub CAs, we need to add some additional schema to the Dogtag LDAP
> > instance.
> > Fraser has written a Dogtag upgrade script to do this upgrade, but this
> > script expects the DM password to be in password.conf. Some discussion
> > on this script can be found here ..
> > https://www.redhat.com/archives/pki-devel/2015-June/msg00054.html
> > In general, I think that while Dogtag will provide a database upgrade
> > framework and/or upgrade LDIF scripts, we will not - in general - know
> > how to connect to the DB with a user that has credentials to make schema
> > changes.
> > Fortunately, these types of changes are rare. Note that in all the
> > years Dogtag has been part of IPA, this is the first time this situation
> > has arisen.
> > The question now though is - how can we co-ordinate with IPA to make
> > this change? This question may have both a short term (for this
> > particular change) and long term answer.
> What about using LDAPI and autobind functionality? If the upgrade
> script is run locally as root, then it can autobind to "cn=Directory
> Manager" without requiring a password.
I like this idea, but I'm not sure how to accurately locate the
socket, because the name depends on the domain, e.g.
Since the new schema is for now only used by and supported for IPA,
I think the immediate way forward is to provide the new schema LDIF
in the Dogtag package (as the current patch does), and have FreeIPA
use it to update the DS. I will have patch for IPA and updated
patch for Dogtag shortly.
We will then work out what is the way forward for Dogtag to reliably
manage its schema updates in the variety of authentication
> > Thanks,
> > Ade
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code