[Freeipa-devel] Need to figure out how to make a schema change
Endi Sukma Dewata
edewata at redhat.com
Fri Jun 19 02:08:24 UTC 2015
On 6/18/2015 8:19 PM, Fraser Tweedale wrote:
>>> In order for IPA to use some new functionality in Profile Management and
>>> Sub CAs, we need to add some additional schema to the Dogtag LDAP
>>> instance.
>>>
>>> Fraser has written a Dogtag upgrade script to do this upgrade, but this
>>> script expects the DM password to be in password.conf. Some discussion
>>> on this script can be found here ..
>>> https://www.redhat.com/archives/pki-devel/2015-June/msg00054.html
>>>
>>> In general, I think that while Dogtag will provide a database upgrade
>>> framework and/or upgrade LDIF scripts, we will not - in general - know
>>> how to connect to the DB with a user that has credentials to make schema
>>> changes.
>>>
>>> Fortunately, these types of changes are rare. Note that in all the
>>> years Dogtag has been part of IPA, this is the first time this situation
>>> has arisen.
>>>
>>> The question now though is - how can we co-ordinate with IPA to make
>>> this change? This question may have both a short term (for this
>>> particular change) and long term answer.
>>
>> What about using LDAPI and autobind functionality? If the upgrade
>> script is run locally as root, then it can autobind to "cn=Directory
>> Manager" without requiring a password.
>>
> I like this idea, but I'm not sure how to accurately locate the
> socket, because the name depends on the domain, e.g.
> `/var/run/slapd-EXAMPLE-COM.socket'.
I think the socket name would have to be provided by IPA via PKI
deployment configuration.
I'm just wondering how LDAPI with autobind would work with nuxwdog.
Supposedly when nuxwdog is enabled the server can only be started by
providing the NSS and LDAP database passwords. Does LDAPI with autobind
make it less secure since the LDAP password is no longer required?
Also, LDAPI wouldn't work if the DS is on a different machine in general
PKI deployment.
I created this page about PKI database upgrade:
http://pki.fedoraproject.org/wiki/Database_Upgrade
> Since the new schema is for now only used by and supported for IPA,
> I think the immediate way forward is to provide the new schema LDIF
> in the Dogtag package (as the current patch does), and have FreeIPA
> use it to update the DS. I will have patch for IPA and updated
> patch for Dogtag shortly.
>
> We will then work out what is the way forward for Dogtag to reliably
> manage its schema updates in the variety of authentication
> scenarios.
>
> Thanks,
> Fraser
--
Endi S. Dewata
More information about the Freeipa-devel
mailing list