[Freeipa-devel] update on freeipa 4.2 pki issues
Fraser Tweedale
ftweedal at redhat.com
Tue Jun 16 16:39:21 UTC 2015
I fixed several issues which broke Dogtag upgrades involving
particular versions; these will be in the next release.
I haven't yet gotten to to the reported failure running
ipa-replica-upgrade on a replica (but I haven't forgotten about it
either.) This is the only issue affecting *fresh installs* that I
am aware of. If you know of others please let me know!
The remaining Dogtag-related upgrade problem is caused by new DS
schema on the Dogtag side, which is used for LDAP-based profiles.
There is not yet an automatic schema upgrade facility for Dogtag, so
the new schema was missing.
The planned approach is:
- Either Dogtag or FreeIPA will add the new CS schema on upgrade.
(Eventually Dogtag will need to manage its own schema updates but
right now there is no facility, and the new schema is only used by
IPA.)
- Migrate file-based profiles into LDAP during IPA upgrade. But for
this to work, I need to make sure that if new schema is added,
then entries that use the new schema, replication to instances
that did not yet have the new schema will not break. Anyone who
knows LDAP better than me, please share your knowledge!
- If my assumptions about replication are wrong, the best approach
will probably be to have the administrator perform profile
migration (via a script) as a later task, after all replicas have
been upgraded.
Thanks,
Fraser
More information about the Freeipa-devel
mailing list