[Freeipa-devel] Need to figure out how to make a schema change

[Nathan Kinder]

On 06/18/2015 10:45 AM, Ade Lee wrote:
> In order for IPA to use some new functionality in Profile Management and
> Sub CAs, we need to add some additional schema to the Dogtag LDAP
> instance.
> 
> Fraser has written a Dogtag upgrade script to do this upgrade, but this
> script expects the DM password to be in password.conf.  Some discussion
> on this script can be found here ..
>  https://www.redhat.com/archives/pki-devel/2015-June/msg00054.html
> 
> In general, I think that while Dogtag will provide a database upgrade
> framework and/or upgrade LDIF scripts, we will not - in general - know
> how to connect to the DB with a user that has credentials to make schema
> changes.
> 
> Fortunately, these types of changes are rare.  Note that in all the
> years Dogtag has been part of IPA, this is the first time this situation
> has arisen.
> 
> The question now though is - how can we co-ordinate with IPA to make
> this change?  This question may have both a short term (for this
> particular change) and long term answer.

What about using LDAPI and autobind functionality?  If the upgrade
script is run locally  as root, then it can autobind to "cn=Directory
Manager" without requiring a password.

Thanks,
-NGK

> 
> Thanks,
> Ade 
>