[Freeipa-devel] [PATCH] Password vault
Jan Cholasta
jcholast at redhat.com
Tue Jun 2 10:04:45 UTC 2015
Dne 2.6.2015 v 02:02 Endi Sukma Dewata napsal(a):
> On 5/28/2015 12:46 AM, Jan Cholasta wrote:
>>> On a related note, since KRA is optional, can we move the vaults
>>> container to cn=kra,cn=vaults? This is the convetion used by the other
>>> optional components (DNS and recently CA).
>>
>> I mean cn=vaults,cn=kra of course.
>
> If you are talking about the o=kra,<PKI suffix>, I'm not sure whether
> the IPA framework will work with it.
>
> If you are talking about adding a new cn=kra,<IPA suffix> entry on top
> of cn=vaults, what is the purpose of this entry? Is the entry going to
> be created/deleted automatically when the KRA is installed/removed? Is
> it going to be used for something else other than vaults?
I'm talking about cn=kra,<IPA suffix>. It should be created only when
KRA is installed, although I think this can be done later after the
release, moving vaults to cn=kra should be good enough for now. It's
going to be used for everything KRA-specific.
>
> There are a lot of questions that need to be answered before we can make
> this change.
This is about sticking to a convention, which everyone should do, and
everyone except KRA already does.
I'm sorry I didn't realize this earlier, but the change must be done now.
> We probably should revisit this issue after the core vault
> functionality is added.
>
We can't revisit it later because after release we are stuck with
whatever is there forever.
See attachment for a patch which implements the change.
--
Jan Cholasta
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-434-vault-Move-vaults-to-cn-vaults-cn-kra.patch
Type: text/x-patch
Size: 8337 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150602/fb4fe86d/attachment.bin>
More information about the Freeipa-devel
mailing list