On 06/19/2015 04:51 AM, Nathan Kinder wrote:
> On 06/18/2015 07:08 PM, Endi Sukma Dewata wrote:
>> On 6/18/2015 8:19 PM, Fraser Tweedale wrote:
>>>>> In order for IPA to use some new functionality in Profile Management
>>>>> and
>>>>> Sub CAs, we need to add some additional schema to the Dogtag LDAP
>>>>> instance.
>>>>> Fraser has written a Dogtag upgrade script to do this upgrade, but this
>>>>> script expects the DM password to be in password.conf.  Some discussion
>>>>> on this script can be found here ..
>>>>>   https://www.redhat.com/archives/pki-devel/2015-June/msg00054.html
>>>>> In general, I think that while Dogtag will provide a database upgrade
>>>>> framework and/or upgrade LDIF scripts, we will not - in general - know
>>>>> how to connect to the DB with a user that has credentials to make
>>>>> schema
>>>>> changes.
>>>>> Fortunately, these types of changes are rare.  Note that in all the
>>>>> years Dogtag has been part of IPA, this is the first time this
>>>>> situation
>>>>> has arisen.
>>>>> The question now though is - how can we co-ordinate with IPA to make
>>>>> this change?  This question may have both a short term (for this
>>>>> particular change) and long term answer.
>>>> What about using LDAPI and autobind functionality?  If the upgrade
>>>> script is run locally  as root, then it can autobind to "cn=Directory
>>>> Manager" without requiring a password.
>>> I like this idea, but I'm not sure how to accurately locate the
>>> socket, because the name depends on the domain, e.g.
>>> `/var/run/slapd-EXAMPLE-COM.socket'.
>> I think the socket name would have to be provided by IPA via PKI
>> deployment configuration.
> That would work.  The other alternative is that we could advertise it in
> the root DSE.

That would make upgrades harder, if IPA would have to pass this setting to PKI
before PKI could upgrade. PKI should be aware of the realm/suffix/database name
it runs on already, right?

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to