Loris Santamaria wrote:
> Hi all
> while trying the latest nightly build of IPAv2 I noticed the integrated
> certification authority is installed in a second 389DS instance, so a
> full IPAv2 server would have (at least) two 389DS instances running.
> Why is it installed that way, instead of simply adding another suffix in
> the main instance? Using an alternative suffix in the main instance
> would consume less memory, would be a service less to monitor, and IMHO
> a cleaner design having only one ldap server in the system answering all
> possible queries.
AFAIR the CA instance of the DS is completely internal and hidden from
the outside world. Combining them in one would require rigorous access
control which might be hard to maintain. While I agree that having one
instance will save some resources the security risk is much higher. We
can definitely look into this some time in future but I suspect it will
be a substantial amount of work to accomplish the optimization you
suggest. Currently we use all the install tools provided by Certificate
System. The approach you suggest will require a fair amount of custom
code. Is it worth to spend time doing this work or rather integrate
other CS components like key management and user cert management? I
would vote for latter.
Engineering Manager IPA project,
Red Hat Inc.
Looking to carve out IT costs?
Freeipa-users mailing list