Hello people of the freeipa-devel channel, Let me share a design that proposes a way of automating the way FreeIPA replicas would be promoted to become a CRL master. Since the configuration cannot be dynamically altered by modifying an entry in the LDAP database, the proposal is to create an ipa-advise extension that could handle this operation instead for now. Read all about it in the attachement.
Looking forward to your comments, Stanislav Láznička -- Standa Láznička A Red Hat person PGP: 8B00 620A 713B 714E B4CB 4767 C98C 4149 36B1 A7F3
# CRL master reassignment draft ## Rationale Changing the CRL master of the FreeIPA system feels complex for the users and is thus rather error prone from the experience of the support engineers. We should provide a more automatic way of handling this process. ## Design While FreeIPA framework offers an API to define a server role, the framework itself counts with all the necessary information to be available in the backend database. Assigning an IPA server as a CRL master requires access to the filesystem [freeipa.org:Promote CA to Renewal and CRL Master]( https://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master) and therefore the framework should not be used, at least not until PKI allows us to change this configuration aspect of the system based on the values stored in the database. Instead, we will use the capabilities of the `ipa-advise` tool. Creating a separate Python script would also be an option but creating a script for every possible action in IPA seems like an unfortunate decision to make as it would only generate a bunch of binaries that would be hard getting rid of when a proper solution for that certain problem appears. ## Implementation A new `ipa-advise` plugin is created - `crl_master.py`. This plugin will provide the user with a script that will simultaneously try to change the configuration files on the current CRL master making it a common CRL clone (should be done via ssh), and also edit the files on the current system so that it becomes the CRL master. The script will be based on the steps in the aforementioned HOWTO page. ## FEature management - CLI | Command | Arguments | | :---: | :---: | | ipa-advise | set-crl-master |
signature.asc
Description: OpenPGP digital signature
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-devel@lists.fedorahosted.org/message/MC2DFEZTMVJIMAFW62LSGKBQXVUKMSS3/