On 6/18/2015 8:19 PM, Fraser Tweedale wrote:
In order for IPA to use some new functionality in Profile Management and
Sub CAs, we need to add some additional schema to the Dogtag LDAP
instance.
Fraser has written a Dogtag upgrade script to do this upgrade, but this
script expects the DM password to be in password.conf. Some discussion
on this script can be found here ..
https://www.redhat.com/archives/pki-devel/2015-June/msg00054.html
In general, I think that while Dogtag will provide a database upgrade
framework and/or upgrade LDIF scripts, we will not - in general - know
how to connect to the DB with a user that has credentials to make schema
changes.
Fortunately, these types of changes are rare. Note that in all the
years Dogtag has been part of IPA, this is the first time this situation
has arisen.
The question now though is - how can we co-ordinate with IPA to make
this change? This question may have both a short term (for this
particular change) and long term answer.
What about using LDAPI and autobind functionality? If the upgrade
script is run locally as root, then it can autobind to "cn=Directory
Manager" without requiring a password.
I like this idea, but I'm not sure how to accurately locate the
socket, because the name depends on the domain, e.g.
`/var/run/slapd-EXAMPLE-COM.socket'.
I think the socket name would have to be provided by IPA via PKI
deployment configuration.
I'm just wondering how LDAPI with autobind would work with nuxwdog.
Supposedly when nuxwdog is enabled the server can only be started by
providing the NSS and LDAP database passwords. Does LDAPI with autobind
make it less secure since the LDAP password is no longer required?
Also, LDAPI wouldn't work if the DS is on a different machine in general
PKI deployment.
I created this page about PKI database upgrade:
http://pki.fedoraproject.org/wiki/Database_Upgrade
Since the new schema is for now only used by and supported for IPA,
I think the immediate way forward is to provide the new schema LDIF
in the Dogtag package (as the current patch does), and have FreeIPA
use it to update the DS. I will have patch for IPA and updated
patch for Dogtag shortly.
We will then work out what is the way forward for Dogtag to reliably
manage its schema updates in the variety of authentication
scenarios.
Thanks,
Fraser
--
Endi S. Dewata
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
