On 21.4.2016 05:30, Fraser Tweedale wrote:
On Thu, Apr 14, 2016 at 04:39:37PM +1000, Fraser Tweedale wrote:
The attached patches configure lightweight CA key replication on IPA
CAs, on upgrade and installation.
Patches 0051..0052 from my other mail are also needed for the system
to work, but this patchset does not depend on them and can be
There is also no hard dependency on the (unreleased) Dogtag 10.3.0b1
- it just puts the necessary principals/keys/configuration in place.
New patches attached; 0054-2 changes the service name from
'dogtag-ipa-custodia' to just 'dogtag', and adds an ACI to allow the
principal to search server Custodia keys.
I'm not sure about this approach - the cn of custodia keys in LDAP is a
free-form string, I would not tie it to service names, but rather try to
keep it short.
In the key replication section of the design page, you mention
"ca/$NAME", I think this is a good template for the cn and that we
should stick to it.
1) This belongs to CAInstance.configure_instance():
+ CA = cainstance.CAInstance(
+ api.env.realm, certs.NSS_DIR, host_name=api.env.host)
2) Any ACI changes should be in a separate patch. (What happened to
3) This is not a platform constant, just a constant:
+ PKI_GSSAPI_SERVICE_NAME = 'dogtag'
4) CAInstance.setup_lightweight_ca_key_retrieval() does too much. Please
split it into a "setup keytab" and "setup custodia" parts.
5) This also belongs to CAInstance.configure_instance():
+ if setup_ca:
+ # CA was configured before Kerberos;
+ # add Custodia client princ and keys now
In order for that to work, you need to move the ca.install_step_1()
after krb.create_instance(), but that should be OK, since KrbInstance
does not talk to the CA.
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code