[Freeipa-devel] update on freeipa 4.2 pki issues

Martin Kosek mkosek at redhat.com
Wed Jun 17 05:52:30 UTC 2015 

On 06/16/2015 06:39 PM, Fraser Tweedale wrote:
> I fixed several issues which broke Dogtag upgrades involving
> particular versions; these will be in the next release.
>
> I haven't yet gotten to to the reported failure running
> ipa-replica-upgrade on a replica (but I haven't forgotten about it
> either.)  This is the only issue affecting *fresh installs* that I
> am aware of.  If you know of others please let me know!
>
> The remaining Dogtag-related upgrade problem is caused by new DS
> schema on the Dogtag side, which is used for LDAP-based profiles.
> There is not yet an automatic schema upgrade facility for Dogtag, so
> the new schema was missing.
>
> The planned approach is:
>
> - Either Dogtag or FreeIPA will add the new CS schema on upgrade.
>    (Eventually Dogtag will need to manage its own schema updates but
>    right now there is no facility, and the new schema is only used by
>    IPA.)

If possible, I would prefer Dogtag to update the schema the best it can, 
otherwise there is a risk of collisions or upgrade breakages if FreeIPA starts 
updating Dogtag internals.

> - Migrate file-based profiles into LDAP during IPA upgrade.  But for
>    this to work, I need to make sure that if new schema is added,
>    then entries that use the new schema, replication to instances
>    that did not yet have the new schema will not break.  Anyone who
>    knows LDAP better than me, please share your knowledge!

Shouldn't schema just replicate, when the first FreeIPA+CS is upgraded? CCing 
Thierry for reference, he had a lot of fun with schema upgrades.

>
> - If my assumptions about replication are wrong, the best approach
>    will probably be to have the administrator perform profile
>    migration (via a script) as a later task, after all replicas have
>    been upgraded.

Not a fan of this, FreeIPA upgrades should be ideally automatic and 
straightforward. So far we did not have problems with automatic upgrades (well, 
except Dogtag9->Dogtag10 upgrade - I would prefer not to have such situation 
again).

Thanks for updates!
Martin

More information about the Freeipa-devel mailing list