URL: https://github.com/freeipa/freeipa/pull/694
Title: #694: RFC: implement local PKINIT deployment in server/replica install
HonzaCholasta commented:
"""
master:
* b1a1e104391c84cb9af7b0a7c8748c8652442ddb separate function to set
ipaConfigString values on service entry
*
URL: https://github.com/freeipa/freeipa/pull/694
Title: #694: RFC: implement local PKINIT deployment in server/replica install
HonzaCholasta commented:
"""
Works for me, ACK.
"""
See the full comment at
https://github.com/freeipa/freeipa/pull/694#issuecomment-297940885
--
Manage your
URL: https://github.com/freeipa/freeipa/pull/694
Title: #694: RFC: implement local PKINIT deployment in server/replica install
martbab commented:
"""
Any volunteer to do a functional review?
"""
See the full comment at
https://github.com/freeipa/freeipa/pull/694#issuecomment-297677004
--
URL: https://github.com/freeipa/freeipa/pull/694
Title: #694: RFC: implement local PKINIT deployment in server/replica install
HonzaCholasta commented:
"""
LGTM.
"""
See the full comment at
https://github.com/freeipa/freeipa/pull/694#issuecomment-297645225
--
Manage your subscription for the
URL: https://github.com/freeipa/freeipa/pull/694
Title: #694: RFC: implement local PKINIT deployment in server/replica install
martbab commented:
"""
@HonzaCholasta Then the best course of action is to remove the PKINIT check
and raise the priority of the issue for test case.
"""
See the
URL: https://github.com/freeipa/freeipa/pull/694
Title: #694: RFC: implement local PKINIT deployment in server/replica install
HonzaCholasta commented:
"""
@martbab, this sounds like a typical instance of a we will do it later = we
will do it never situation. IMO we should remove the
URL: https://github.com/freeipa/freeipa/pull/694
Title: #694: RFC: implement local PKINIT deployment in server/replica install
martbab commented:
"""
I have rewritten the PKINIT state reporting code as agreed with @abbra and also
re-factored the installation/upgrade logic. @HonzaCholasta also
URL: https://github.com/freeipa/freeipa/pull/694
Title: #694: RFC: implement local PKINIT deployment in server/replica install
abbra commented:
"""
Yep. Then this PR can be merged once you removed distinction external/full.
"""
See the full comment at
URL: https://github.com/freeipa/freeipa/pull/694
Title: #694: RFC: implement local PKINIT deployment in server/replica install
martbab commented:
"""
We can query that PKINIT was not configured at all by a) checking the presence
of KDC keypair, b) checking the sysupgrade (no presence of pkinit
URL: https://github.com/freeipa/freeipa/pull/694
Title: #694: RFC: implement local PKINIT deployment in server/replica install
abbra commented:
"""
I agree that it is internal detail whether we use local pkinit or not. However,
we need to know that it is existing as oposed to not existing at
URL: https://github.com/freeipa/freeipa/pull/694
Title: #694: RFC: implement local PKINIT deployment in server/replica install
martbab commented:
"""
@abbra I received an interactive review from @HonzaCholasta today and he is not
very keen on idea of having ternary (absent/local/external/full)
URL: https://github.com/freeipa/freeipa/pull/694
Title: #694: RFC: implement local PKINIT deployment in server/replica install
abbra commented:
"""
I read through the code and I believe it addresses all use cases we have been
discussing. LGTM.
"""
See the full comment at
URL: https://github.com/freeipa/freeipa/pull/694
Title: #694: RFC: implement local PKINIT deployment in server/replica install
martbab commented:
"""
I have added comments to the "hidden" PKINIT setup steps. I would also like
@simo5 and @abbra to answer further comments regarding thid PR. It
URL: https://github.com/freeipa/freeipa/pull/694
Title: #694: RFC: implement local PKINIT deployment in server/replica install
martbab commented:
"""
@MartinBasti I can add some removal logic to upgrader if required.
"""
See the full comment at
URL: https://github.com/freeipa/freeipa/pull/694
Title: #694: RFC: implement local PKINIT deployment in server/replica install
MartinBasti commented:
"""
Should be anon keytab removed by upgrade, are there any leftovers in LDAP to be
removed during upgrade?
"""
See the full comment at
URL: https://github.com/freeipa/freeipa/pull/694
Title: #694: RFC: implement local PKINIT deployment in server/replica install
martbab commented:
"""
I have re-worked the PR and implemented most of the missing steps (except for
API for querying PKINIT status in topology). I have also removed
URL: https://github.com/freeipa/freeipa/pull/694
Title: #694: RFC: implement local PKINIT deployment in server/replica install
martbab commented:
"""
@MartinBasti I haven't thought about CA-less -> CA-full but in this case you
would have local PKINIT and should configure full PKINIT manually
URL: https://github.com/freeipa/freeipa/pull/694
Title: #694: RFC: implement local PKINIT deployment in server/replica install
MartinBasti commented:
"""
`upgrade and transitions between PKINIT configurations` does this cover:
- CA-less to CA-full upgrade?
- installed 4.4.4 --- upgraded --->
18 matches
Mail list logo
