[Freeipa-devel] [PATCH] Password vault

Jan Cholasta jcholast at redhat.com
Wed Jun 3 09:41:42 UTC 2015 

Dne 3.6.2015 v 09:27 Martin Kosek napsal(a):
> On 06/02/2015 08:34 PM, Simo Sorce wrote:
>> On Tue, 2015-06-02 at 12:04 +0200, Jan Cholasta wrote:
>>> Dne 2.6.2015 v 02:02 Endi Sukma Dewata napsal(a):
>>>> On 5/28/2015 12:46 AM, Jan Cholasta wrote:
>>>>>> On a related note, since KRA is optional, can we move the vaults
>>>>>> container to cn=kra,cn=vaults? This is the convetion used by the other
>>>>>> optional components (DNS and recently CA).
>>>>>
>>>>> I mean cn=vaults,cn=kra of course.
>>>>
>>>> If you are talking about the o=kra,<PKI suffix>, I'm not sure whether
>>>> the IPA framework will work with it.
>>>>
>>>> If you are talking about adding a new cn=kra,<IPA suffix> entry on top
>>>> of cn=vaults, what is the purpose of this entry? Is the entry going to
>>>> be created/deleted automatically when the KRA is installed/removed? Is
>>>> it going to be used for something else other than vaults?
>>>
>>> I'm talking about cn=kra,<IPA suffix>. It should be created only when
>>> KRA is installed, although I think this can be done later after the
>>> release, moving vaults to cn=kra should be good enough for now. It's
>>> going to be used for everything KRA-specific.
>>>
>>>>
>>>> There are a lot of questions that need to be answered before we can make
>>>> this change.
>>>
>>> This is about sticking to a convention, which everyone should do, and
>>> everyone except KRA already does.
>>>
>>> I'm sorry I didn't realize this earlier, but the change must be done now.
>>>
>>>> We probably should revisit this issue after the core vault
>>>> functionality is added.
>>>>
>>>
>>> We can't revisit it later because after release we are stuck with
>>> whatever is there forever.
>>>
>>> See attachment for a patch which implements the change.
>>>
>>
>> Shouldn't we s/kra/vault/ ?
>> After all the feature is called Vault, not KRA.
>
> I thought we are naming it by the name of the optional subsystem, not the
> feature itself. If for example, another feature from KRA is used, it would
> still live in cn=kra, no?

Correct.

-- 
Jan Cholasta

More information about the Freeipa-devel mailing list