[Freeipa-devel] [PATCH] 0051 Handle --subject option in ipa-server-install
Petr Viktorin
pviktori at redhat.com
Thu Aug 1 12:54:25 UTC 2013
On 07/31/2013 11:51 AM, Ana Krivokapic wrote:
> On 07/30/2013 06:24 PM, Petr Viktorin wrote:
>> On 07/30/2013 10:27 AM, Ana Krivokapic wrote:
>>> Hello,
>>>
>>> This patch addresses ticket https://fedorahosted.org/freeipa/ticket/3783.
>>>
>>
>> Thanks for the patch, I have a concern below:
>>
>>> freeipa-akrivoka-0051-Handle-subject-option-in-ipa-server-install.patch
>>> diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
>>> index
>>> de17c5b23d79f31e8571a3400d44397630cadada..a2625e6198bcff0811c482e479c8af10716dcea1
>>> 100644
>>> --- a/install/tools/ipa-upgradeconfig
>>> +++ b/install/tools/ipa-upgradeconfig
>>> @@ -894,6 +895,7 @@ def main():
>>> configured_constants = dogtag.configured_constants()
>>> sub_dict = dict(
>>> REALM=api.env.realm,
>>> + SUBJECT_BASE=str(DN(('O', api.env.realm))),
>>
>> When certmap.conf.template's version changes again, this will rewrite the
>> subject to the default. Don't we want to use the subject base also here?
>>
>>
>>
>
> You are right. The updated patch uses the current value of subject base from
> LDAP to update certmap.conf during upgrades.
When ipa-upgradeconfig is run while the DS is down, this results in a
small warning, and very bad configuration:
certmap ipaca CN=Certificate Authority,None
I'm not sure how this should be handled. I'm adding Rob to the loop.
Rob, can we start the DS in ipa-upgradeconfig? That sounds quite
heavy-handed for a RPM upgrade script.
Maybe if the DS is unavailable, we should use the old value from the
config file itself.
--
Petr³
More information about the Freeipa-devel
mailing list