[Freeipa-devel] [PATCH] Password vault
Simo Sorce
simo at redhat.com
Tue Jun 2 18:34:34 UTC 2015
On Tue, 2015-06-02 at 12:04 +0200, Jan Cholasta wrote:
> Dne 2.6.2015 v 02:02 Endi Sukma Dewata napsal(a):
> > On 5/28/2015 12:46 AM, Jan Cholasta wrote:
> >>> On a related note, since KRA is optional, can we move the vaults
> >>> container to cn=kra,cn=vaults? This is the convetion used by the other
> >>> optional components (DNS and recently CA).
> >>
> >> I mean cn=vaults,cn=kra of course.
> >
> > If you are talking about the o=kra,<PKI suffix>, I'm not sure whether
> > the IPA framework will work with it.
> >
> > If you are talking about adding a new cn=kra,<IPA suffix> entry on top
> > of cn=vaults, what is the purpose of this entry? Is the entry going to
> > be created/deleted automatically when the KRA is installed/removed? Is
> > it going to be used for something else other than vaults?
>
> I'm talking about cn=kra,<IPA suffix>. It should be created only when
> KRA is installed, although I think this can be done later after the
> release, moving vaults to cn=kra should be good enough for now. It's
> going to be used for everything KRA-specific.
>
> >
> > There are a lot of questions that need to be answered before we can make
> > this change.
>
> This is about sticking to a convention, which everyone should do, and
> everyone except KRA already does.
>
> I'm sorry I didn't realize this earlier, but the change must be done now.
>
> > We probably should revisit this issue after the core vault
> > functionality is added.
> >
>
> We can't revisit it later because after release we are stuck with
> whatever is there forever.
>
> See attachment for a patch which implements the change.
>
Shouldn't we s/kra/vault/ ?
After all the feature is called Vault, not KRA.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list