[Freeipa-devel] [PATCH] 0051 Handle --subject option in ipa-server-install
Martin Kosek
mkosek at redhat.com
Thu Aug 1 12:58:33 UTC 2013
On 08/01/2013 02:54 PM, Petr Viktorin wrote:
> On 07/31/2013 11:51 AM, Ana Krivokapic wrote:
>> On 07/30/2013 06:24 PM, Petr Viktorin wrote:
>>> On 07/30/2013 10:27 AM, Ana Krivokapic wrote:
>>>> Hello,
>>>>
>>>> This patch addresses ticket https://fedorahosted.org/freeipa/ticket/3783.
>>>>
>>>
>>> Thanks for the patch, I have a concern below:
>>>
>>>> freeipa-akrivoka-0051-Handle-subject-option-in-ipa-server-install.patch
>>>> diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
>>>> index
>>>> de17c5b23d79f31e8571a3400d44397630cadada..a2625e6198bcff0811c482e479c8af10716dcea1
>>>>
>>>> 100644
>>>> --- a/install/tools/ipa-upgradeconfig
>>>> +++ b/install/tools/ipa-upgradeconfig
>>>> @@ -894,6 +895,7 @@ def main():
>>>> configured_constants = dogtag.configured_constants()
>>>> sub_dict = dict(
>>>> REALM=api.env.realm,
>>>> + SUBJECT_BASE=str(DN(('O', api.env.realm))),
>>>
>>> When certmap.conf.template's version changes again, this will rewrite the
>>> subject to the default. Don't we want to use the subject base also here?
>>>
>>>
>>>
>>
>> You are right. The updated patch uses the current value of subject base from
>> LDAP to update certmap.conf during upgrades.
>
> When ipa-upgradeconfig is run while the DS is down, this results in a small
> warning, and very bad configuration:
> certmap ipaca CN=Certificate Authority,None
>
>
> I'm not sure how this should be handled. I'm adding Rob to the loop.
> Rob, can we start the DS in ipa-upgradeconfig? That sounds quite heavy-handed
> for a RPM upgrade script.
>
> Maybe if the DS is unavailable, we should use the old value from the config
> file itself.
Values can be stored/restored using a sysupgrade module. I would not be so
afraid of starting the DS module, we already do that exercise in
ipa-ldap-updater, so adding it in ipa-upgradeconfig too does not change much.
Question is, what should we do what DS cannot be started or cannot be read
(e.g. when upgrade is run in fedup's chrooted environment) - we must make sure
we don't mess the configuration up.
Martin
More information about the Freeipa-devel
mailing list