[Freeipa-devel] Need to figure out how to make a schema change
Nathan Kinder
nkinder at redhat.com
Thu Jun 18 18:02:03 UTC 2015
On 06/18/2015 10:45 AM, Ade Lee wrote:
> In order for IPA to use some new functionality in Profile Management and
> Sub CAs, we need to add some additional schema to the Dogtag LDAP
> instance.
>
> Fraser has written a Dogtag upgrade script to do this upgrade, but this
> script expects the DM password to be in password.conf. Some discussion
> on this script can be found here ..
> https://www.redhat.com/archives/pki-devel/2015-June/msg00054.html
>
> In general, I think that while Dogtag will provide a database upgrade
> framework and/or upgrade LDIF scripts, we will not - in general - know
> how to connect to the DB with a user that has credentials to make schema
> changes.
>
> Fortunately, these types of changes are rare. Note that in all the
> years Dogtag has been part of IPA, this is the first time this situation
> has arisen.
>
> The question now though is - how can we co-ordinate with IPA to make
> this change? This question may have both a short term (for this
> particular change) and long term answer.
What about using LDAPI and autobind functionality? If the upgrade
script is run locally as root, then it can autobind to "cn=Directory
Manager" without requiring a password.
Thanks,
-NGK
>
> Thanks,
> Ade
>
More information about the Freeipa-devel
mailing list