Dne 2.6.2015 v 02:02 Endi Sukma Dewata napsal(a):
On 5/28/2015 12:46 AM, Jan Cholasta wrote:
On a related note, since KRA is optional, can we move the vaults
container to cn=kra,cn=vaults? This is the convetion used by the other
optional components (DNS and recently CA).
I mean cn=vaults,cn=kra of course.
If you are talking about the o=kra,<PKI suffix>, I'm not sure whether
the IPA framework will work with it.
If you are talking about adding a new cn=kra,<IPA suffix> entry on top
of cn=vaults, what is the purpose of this entry? Is the entry going to
be created/deleted automatically when the KRA is installed/removed? Is
it going to be used for something else other than vaults?
I'm talking about cn=kra,<IPA suffix>. It should be created only when
KRA is installed, although I think this can be done later after the
release, moving vaults to cn=kra should be good enough for now. It's
going to be used for everything KRA-specific.
There are a lot of questions that need to be answered before we can make
this change.
This is about sticking to a convention, which everyone should do, and
everyone except KRA already does.
I'm sorry I didn't realize this earlier, but the change must be done now.
We probably should revisit this issue after the core vault
functionality is added.
We can't revisit it later because after release we are stuck with
whatever is there forever.
See attachment for a patch which implements the change.
--
Jan Cholasta
>From 47295de5fb63195f7c07fa2528c6d6450e25d659 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jchol...@redhat.com>
Date: Tue, 2 Jun 2015 09:40:50 +0000
Subject: [PATCH] vault: Move vaults to cn=vaults,cn=kra
https://fedorahosted.org/freeipa/ticket/3872
---
install/updates/40-vault.update | 13 +++++++++----
ipa-client/man/default.conf.5 | 2 +-
ipalib/constants.py | 2 +-
ipatests/test_xmlrpc/test_vault_plugin.py | 24 ++++++++++++------------
4 files changed, 23 insertions(+), 18 deletions(-)
diff --git a/install/updates/40-vault.update b/install/updates/40-vault.update
index 5a6b8c6..dcd1e2a 100644
--- a/install/updates/40-vault.update
+++ b/install/updates/40-vault.update
@@ -1,19 +1,24 @@
-dn: cn=vaults,$SUFFIX
+dn: cn=kra,$SUFFIX
+default: objectClass: top
+default: objectClass: nsContainer
+default: cn: kra
+
+dn: cn=vaults,cn=kra,$SUFFIX
default: objectClass: top
default: objectClass: nsContainer
default: cn: vaults
-dn: cn=services,cn=vaults,$SUFFIX
+dn: cn=services,cn=vaults,cn=kra,$SUFFIX
default: objectClass: top
default: objectClass: nsContainer
default: cn: services
-dn: cn=shared,cn=vaults,$SUFFIX
+dn: cn=shared,cn=vaults,cn=kra,$SUFFIX
default: objectClass: top
default: objectClass: nsContainer
default: cn: shared
-dn: cn=users,cn=vaults,$SUFFIX
+dn: cn=users,cn=vaults,cn=kra,$SUFFIX
default: objectClass: top
default: objectClass: nsContainer
default: cn: users
diff --git a/ipa-client/man/default.conf.5 b/ipa-client/man/default.conf.5
index 0973f1a..e345e93 100644
--- a/ipa-client/man/default.conf.5
+++ b/ipa-client/man/default.conf.5
@@ -221,7 +221,7 @@ The following define the containers for the IPA server. Containers define where
container_sudocmdgroup: cn=sudocmdgroups,cn=sudo
container_sudorule: cn=sudorules,cn=sudo
container_user: cn=users,cn=accounts
- container_vault: cn=vaults
+ container_vault: cn=vaults,cn=kra
container_virtual: cn=virtual operations,cn=etc
.SH "FILES"
diff --git a/ipalib/constants.py b/ipalib/constants.py
index 95dec54..7815e14 100644
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@@ -99,7 +99,7 @@ DEFAULT_CONFIG = (
('container_hbacservice', DN(('cn', 'hbacservices'), ('cn', 'hbac'))),
('container_hbacservicegroup', DN(('cn', 'hbacservicegroups'), ('cn', 'hbac'))),
('container_dns', DN(('cn', 'dns'))),
- ('container_vault', DN(('cn', 'vaults'))),
+ ('container_vault', DN(('cn', 'vaults'), ('cn', 'kra'))),
('container_virtual', DN(('cn', 'virtual operations'), ('cn', 'etc'))),
('container_sudorule', DN(('cn', 'sudorules'), ('cn', 'sudo'))),
('container_sudocmd', DN(('cn', 'sudocmds'), ('cn', 'sudo'))),
diff --git a/ipatests/test_xmlrpc/test_vault_plugin.py b/ipatests/test_xmlrpc/test_vault_plugin.py
index 44d397c..012baec 100644
--- a/ipatests/test_xmlrpc/test_vault_plugin.py
+++ b/ipatests/test_xmlrpc/test_vault_plugin.py
@@ -54,7 +54,7 @@ class test_vault_plugin(Declarative):
'value': vault_name,
'summary': 'Added vault "%s"' % vault_name,
'result': {
- 'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,%s'
+ 'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,cn=kra,%s'
% (vault_name, api.env.basedn),
'objectclass': [u'top', u'ipaVault'],
'cn': [vault_name],
@@ -75,7 +75,7 @@ class test_vault_plugin(Declarative):
'summary': u'1 vault matched',
'result': [
{
- 'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,%s'
+ 'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,cn=kra,%s'
% (vault_name, api.env.basedn),
'cn': [vault_name],
},
@@ -94,7 +94,7 @@ class test_vault_plugin(Declarative):
'value': vault_name,
'summary': None,
'result': {
- 'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,%s'
+ 'dn': u'cn=%s,cn=admin,cn=users,cn=vaults,cn=kra,%s'
% (vault_name, api.env.basedn),
'cn': [vault_name],
},
@@ -149,7 +149,7 @@ class test_vault_plugin(Declarative):
'value': vault_name,
'summary': u'Added vault "%s"' % vault_name,
'result': {
- 'dn': u'cn=%s,cn=%s,cn=services,cn=vaults,%s'
+ 'dn': u'cn=%s,cn=%s,cn=services,cn=vaults,cn=kra,%s'
% (vault_name, service_name, api.env.basedn),
'objectclass': [u'top', u'ipaVault'],
'cn': [vault_name],
@@ -172,7 +172,7 @@ class test_vault_plugin(Declarative):
'summary': u'1 vault matched',
'result': [
{
- 'dn': u'cn=%s,cn=%s,cn=services,cn=vaults,%s'
+ 'dn': u'cn=%s,cn=%s,cn=services,cn=vaults,cn=kra,%s'
% (vault_name, service_name, api.env.basedn),
'cn': [vault_name],
},
@@ -193,7 +193,7 @@ class test_vault_plugin(Declarative):
'value': vault_name,
'summary': None,
'result': {
- 'dn': u'cn=%s,cn=%s,cn=services,cn=vaults,%s'
+ 'dn': u'cn=%s,cn=%s,cn=services,cn=vaults,cn=kra,%s'
% (vault_name, service_name, api.env.basedn),
'cn': [vault_name],
},
@@ -251,7 +251,7 @@ class test_vault_plugin(Declarative):
'value': vault_name,
'summary': u'Added vault "%s"' % vault_name,
'result': {
- 'dn': u'cn=%s,cn=shared,cn=vaults,%s'
+ 'dn': u'cn=%s,cn=shared,cn=vaults,cn=kra,%s'
% (vault_name, api.env.basedn),
'objectclass': [u'top', u'ipaVault'],
'cn': [vault_name],
@@ -274,7 +274,7 @@ class test_vault_plugin(Declarative):
'summary': u'1 vault matched',
'result': [
{
- 'dn': u'cn=%s,cn=shared,cn=vaults,%s'
+ 'dn': u'cn=%s,cn=shared,cn=vaults,cn=kra,%s'
% (vault_name, api.env.basedn),
'cn': [vault_name],
},
@@ -295,7 +295,7 @@ class test_vault_plugin(Declarative):
'value': vault_name,
'summary': None,
'result': {
- 'dn': u'cn=%s,cn=shared,cn=vaults,%s'
+ 'dn': u'cn=%s,cn=shared,cn=vaults,cn=kra,%s'
% (vault_name, api.env.basedn),
'cn': [vault_name],
},
@@ -353,7 +353,7 @@ class test_vault_plugin(Declarative):
'value': vault_name,
'summary': u'Added vault "%s"' % vault_name,
'result': {
- 'dn': u'cn=%s,cn=%s,cn=users,cn=vaults,%s'
+ 'dn': u'cn=%s,cn=%s,cn=users,cn=vaults,cn=kra,%s'
% (vault_name, user_name, api.env.basedn),
'objectclass': [u'top', u'ipaVault'],
'cn': [vault_name],
@@ -376,7 +376,7 @@ class test_vault_plugin(Declarative):
'summary': u'1 vault matched',
'result': [
{
- 'dn': u'cn=%s,cn=%s,cn=users,cn=vaults,%s'
+ 'dn': u'cn=%s,cn=%s,cn=users,cn=vaults,cn=kra,%s'
% (vault_name, user_name, api.env.basedn),
'cn': [vault_name],
},
@@ -397,7 +397,7 @@ class test_vault_plugin(Declarative):
'value': vault_name,
'summary': None,
'result': {
- 'dn': u'cn=%s,cn=%s,cn=users,cn=vaults,%s'
+ 'dn': u'cn=%s,cn=%s,cn=users,cn=vaults,cn=kra,%s'
% (vault_name, user_name, api.env.basedn),
'cn': [vault_name],
},
--
2.1.0
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
