[Freeipa-devel] update on freeipa 4.2 pki issues

Fraser Tweedale ftweedal at redhat.com
Wed Jun 17 13:06:59 UTC 2015 

On Wed, Jun 17, 2015 at 01:43:03PM +0200, thierry bordaz wrote:
> On 06/17/2015 01:09 PM, Fraser Tweedale wrote:
> >On Wed, Jun 17, 2015 at 12:28:33PM +0200, thierry bordaz wrote:
> >>Hello Fraser,
> >>
> >>    The schema is propagated on all replica. So if you update the
> >>    schema, the updates will be eventually present everywhere.
> >>    There is two ways to update the schema.
> >>
> >>      * online update (prefered), you simply do a ldapmodify on
> >>        'cn=schema' adding/updating attributetypes/objectclasses
> >>      * offline. You stop a replica/master, update the schema files,
> >>        start the server. This is not the prefered solution because
> >>        depending on version of DS it can take more time to detect the
> >>        new schema and propagated it.
> >>
> >>    Do you know how CS schema upgrade will be done (online/offline) ?
> >>    Is it the new definitions
> >>    http://www.freeipa.org/page/V4/Certificate_Profiles#Schema ?
> >>
> >>    Thanks
> >>    thierry
> >>
> >Thanks Thierry for your detailed reply!  The schema is actually
> >defined by Dogtag and is used only by the Dogtag directory tree
> >(under DN o=ipa-ca).  I will do an online update.
> >
> >Cheers,
> >Fraser
> 
> Hi Fraser,
> 
> The schema is per DS instance so all suffixes will share the same schema.
> Now only o=ipaca entries will use the new definitions.
> 
> During upgrade, if you do online update of 'cn=schema', the next update (on
> main sufix or o=ipaca) will trigger the replication of those definitions.
> The exact replication scenario of the schema depends on the version of DS
> but the definitions should eventually be present on all instances.
> You may check if the definitions are propagated on each instance with
> 'ldapsearch -h <host> -p 389 -D "cn=directory manager" -w ... -b "cn=schema"
> attributetypes objectclasses.
> 
> I am not sure what is the 'Migrate file-base profile' scenario. Is it an
> import  (ldif2db) of new profiles with entries containing new schema
> defintions ?
> 
It is not a direct import via ldif2db(8), but in essence, yes - new
entries are added which contain attributes defined by in the new
schema.

Cheers,
Fraser

> thanks
> thierry
> >
> >>On 06/17/2015 07:52 AM, Martin Kosek wrote:
> >>>On 06/16/2015 06:39 PM, Fraser Tweedale wrote:
> >>>>I fixed several issues which broke Dogtag upgrades involving
> >>>>particular versions; these will be in the next release.
> >>>>
> >>>>I haven't yet gotten to to the reported failure running
> >>>>ipa-replica-upgrade on a replica (but I haven't forgotten about it
> >>>>either.)  This is the only issue affecting *fresh installs* that I
> >>>>am aware of.  If you know of others please let me know!
> >>>>
> >>>>The remaining Dogtag-related upgrade problem is caused by new DS
> >>>>schema on the Dogtag side, which is used for LDAP-based profiles.
> >>>>There is not yet an automatic schema upgrade facility for Dogtag, so
> >>>>the new schema was missing.
> >>>>
> >>>>The planned approach is:
> >>>>
> >>>>- Either Dogtag or FreeIPA will add the new CS schema on upgrade.
> >>>>   (Eventually Dogtag will need to manage its own schema updates but
> >>>>   right now there is no facility, and the new schema is only used by
> >>>>   IPA.)
> >>>If possible, I would prefer Dogtag to update the schema the best it can,
> >>>otherwise there is a risk of collisions or upgrade breakages if FreeIPA
> >>>starts updating Dogtag internals.
> >>>
> >>>>- Migrate file-based profiles into LDAP during IPA upgrade.  But for
> >>>>   this to work, I need to make sure that if new schema is added,
> >>>>   then entries that use the new schema, replication to instances
> >>>>   that did not yet have the new schema will not break.  Anyone who
> >>>>   knows LDAP better than me, please share your knowledge!
> >>>Shouldn't schema just replicate, when the first FreeIPA+CS is upgraded?
> >>>CCing Thierry for reference, he had a lot of fun with schema upgrades.
> >>>
> >>>>- If my assumptions about replication are wrong, the best approach
> >>>>   will probably be to have the administrator perform profile
> >>>>   migration (via a script) as a later task, after all replicas have
> >>>>   been upgraded.
> >>>Not a fan of this, FreeIPA upgrades should be ideally automatic and
> >>>straightforward. So far we did not have problems with automatic upgrades
> >>>(well, except Dogtag9->Dogtag10 upgrade - I would prefer not to have such
> >>>situation again).
> >>>
> >>>Thanks for updates!
> >>>Martin
>

More information about the Freeipa-devel mailing list