On 06/18/2015 07:08 PM, Endi Sukma Dewata wrote:
> On 6/18/2015 8:19 PM, Fraser Tweedale wrote:
>>>> In order for IPA to use some new functionality in Profile Management
>>>> Sub CAs, we need to add some additional schema to the Dogtag LDAP
>>>> Fraser has written a Dogtag upgrade script to do this upgrade, but this
>>>> script expects the DM password to be in password.conf. Some discussion
>>>> on this script can be found here ..
>>>> In general, I think that while Dogtag will provide a database upgrade
>>>> framework and/or upgrade LDIF scripts, we will not - in general - know
>>>> how to connect to the DB with a user that has credentials to make
>>>> Fortunately, these types of changes are rare. Note that in all the
>>>> years Dogtag has been part of IPA, this is the first time this
>>>> has arisen.
>>>> The question now though is - how can we co-ordinate with IPA to make
>>>> this change? This question may have both a short term (for this
>>>> particular change) and long term answer.
>>> What about using LDAPI and autobind functionality? If the upgrade
>>> script is run locally as root, then it can autobind to "cn=Directory
>>> Manager" without requiring a password.
>> I like this idea, but I'm not sure how to accurately locate the
>> socket, because the name depends on the domain, e.g.
> I think the socket name would have to be provided by IPA via PKI
> deployment configuration.
That would work. The other alternative is that we could advertise it in
the root DSE.
> I'm just wondering how LDAPI with autobind would work with nuxwdog.
> Supposedly when nuxwdog is enabled the server can only be started by
> providing the NSS and LDAP database passwords. Does LDAPI with autobind
> make it less secure since the LDAP password is no longer required?
LDAPI still requires the server to be started to work. How does nuxwdog
fit into this issue?
> Also, LDAPI wouldn't work if the DS is on a different machine in general
> PKI deployment.
> I created this page about PKI database upgrade:
>> Since the new schema is for now only used by and supported for IPA,
>> I think the immediate way forward is to provide the new schema LDIF
>> in the Dogtag package (as the current patch does), and have FreeIPA
>> use it to update the DS. I will have patch for IPA and updated
>> patch for Dogtag shortly.
>> We will then work out what is the way forward for Dogtag to reliably
>> manage its schema updates in the variety of authentication
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code