[Freeipa-devel] [PATCH] Password vault
Martin Kosek
mkosek at redhat.com
Tue Jun 2 11:56:47 UTC 2015
On 06/02/2015 12:04 PM, Jan Cholasta wrote:
> Dne 2.6.2015 v 02:02 Endi Sukma Dewata napsal(a):
>> On 5/28/2015 12:46 AM, Jan Cholasta wrote:
>>>> On a related note, since KRA is optional, can we move the vaults
>>>> container to cn=kra,cn=vaults? This is the convetion used by the other
>>>> optional components (DNS and recently CA).
>>>
>>> I mean cn=vaults,cn=kra of course.
>>
>> If you are talking about the o=kra,<PKI suffix>, I'm not sure whether
>> the IPA framework will work with it.
>>
>> If you are talking about adding a new cn=kra,<IPA suffix> entry on top
>> of cn=vaults, what is the purpose of this entry? Is the entry going to
>> be created/deleted automatically when the KRA is installed/removed? Is
>> it going to be used for something else other than vaults?
>
> I'm talking about cn=kra,<IPA suffix>. It should be created only when KRA is
> installed, although I think this can be done later after the release, moving
> vaults to cn=kra should be good enough for now. It's going to be used for
> everything KRA-specific.
>
>>
>> There are a lot of questions that need to be answered before we can make
>> this change.
>
> This is about sticking to a convention, which everyone should do, and everyone
> except KRA already does.
>
> I'm sorry I didn't realize this earlier, but the change must be done now.
+1 for this change. I do not even think it will that big deal, it is just about
the default space in the IPA tree - to have proper structure in it (DNS has
cn=dns, KRA has cn=kra, etc.).
>
>> We probably should revisit this issue after the core vault
>> functionality is added.
>>
>
> We can't revisit it later because after release we are stuck with whatever is
> there forever.
Right.
More information about the Freeipa-devel
mailing list