On 21.4.2016 05:30, Fraser Tweedale wrote:
On Thu, Apr 14, 2016 at 04:39:37PM +1000, Fraser Tweedale wrote:
Hi all,

The attached patches configure lightweight CA key replication on IPA
CAs, on upgrade and installation.

Patches 0051..0052 from my other mail are also needed for the system
to work, but this patchset does not depend on them and can be
reviewed independently.

There is also no hard dependency on the (unreleased) Dogtag 10.3.0b1
- it just puts the necessary principals/keys/configuration in place.


New patches attached;  0054-2 changes the service name from
'dogtag-ipa-custodia' to just 'dogtag', and adds an ACI to allow the
principal to search server Custodia keys.

Patch 53:

I'm not sure about this approach - the cn of custodia keys in LDAP is a free-form string, I would not tie it to service names, but rather try to keep it short.

In the key replication section of the design page, you mention "ca/$NAME", I think this is a good template for the cn and that we should stick to it.

Patch 54:

1) This belongs to CAInstance.configure_instance():

+    CA = cainstance.CAInstance(
+            api.env.realm, certs.NSS_DIR, host_name=api.env.host)
+    CA.setup_lightweight_ca_key_retrieval()

2) Any ACI changes should be in a separate patch. (What happened to patch 52?)

3) This is not a platform constant, just a constant:


4) CAInstance.setup_lightweight_ca_key_retrieval() does too much. Please split it into a "setup keytab" and "setup custodia" parts.

5) This also belongs to CAInstance.configure_instance():

+    if setup_ca:
+        # CA was configured before Kerberos;
+        # add Custodia client princ and keys now
+        ca_instance.setup_lightweight_ca_key_retrieval()

In order for that to work, you need to move the ca.install_step_1() after krb.create_instance(), but that should be OK, since KrbInstance does not talk to the CA.


Jan Cholasta

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to