On 06/19/2015 04:51 AM, Nathan Kinder wrote: > > > On 06/18/2015 07:08 PM, Endi Sukma Dewata wrote: >> On 6/18/2015 8:19 PM, Fraser Tweedale wrote: >>>>> In order for IPA to use some new functionality in Profile Management >>>>> and >>>>> Sub CAs, we need to add some additional schema to the Dogtag LDAP >>>>> instance. >>>>> >>>>> Fraser has written a Dogtag upgrade script to do this upgrade, but this >>>>> script expects the DM password to be in password.conf. Some discussion >>>>> on this script can be found here .. >>>>> https://www.redhat.com/archives/pki-devel/2015-June/msg00054.html >>>>> >>>>> In general, I think that while Dogtag will provide a database upgrade >>>>> framework and/or upgrade LDIF scripts, we will not - in general - know >>>>> how to connect to the DB with a user that has credentials to make >>>>> schema >>>>> changes. >>>>> >>>>> Fortunately, these types of changes are rare. Note that in all the >>>>> years Dogtag has been part of IPA, this is the first time this >>>>> situation >>>>> has arisen. >>>>> >>>>> The question now though is - how can we co-ordinate with IPA to make >>>>> this change? This question may have both a short term (for this >>>>> particular change) and long term answer. >>>> >>>> What about using LDAPI and autobind functionality? If the upgrade >>>> script is run locally as root, then it can autobind to "cn=Directory >>>> Manager" without requiring a password. >>>> >>> I like this idea, but I'm not sure how to accurately locate the >>> socket, because the name depends on the domain, e.g. >>> `/var/run/slapd-EXAMPLE-COM.socket'. >> >> I think the socket name would have to be provided by IPA via PKI >> deployment configuration. > > That would work. The other alternative is that we could advertise it in > the root DSE.
That would make upgrades harder, if IPA would have to pass this setting to PKI before PKI could upgrade. PKI should be aware of the realm/suffix/database name it runs on already, right? -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code