[Freeipa-devel] Need to figure out how to make a schema change
Nathan Kinder
nkinder at redhat.com
Fri Jun 19 02:51:53 UTC 2015
On 06/18/2015 07:08 PM, Endi Sukma Dewata wrote:
> On 6/18/2015 8:19 PM, Fraser Tweedale wrote:
>>>> In order for IPA to use some new functionality in Profile Management
>>>> and
>>>> Sub CAs, we need to add some additional schema to the Dogtag LDAP
>>>> instance.
>>>>
>>>> Fraser has written a Dogtag upgrade script to do this upgrade, but this
>>>> script expects the DM password to be in password.conf. Some discussion
>>>> on this script can be found here ..
>>>> https://www.redhat.com/archives/pki-devel/2015-June/msg00054.html
>>>>
>>>> In general, I think that while Dogtag will provide a database upgrade
>>>> framework and/or upgrade LDIF scripts, we will not - in general - know
>>>> how to connect to the DB with a user that has credentials to make
>>>> schema
>>>> changes.
>>>>
>>>> Fortunately, these types of changes are rare. Note that in all the
>>>> years Dogtag has been part of IPA, this is the first time this
>>>> situation
>>>> has arisen.
>>>>
>>>> The question now though is - how can we co-ordinate with IPA to make
>>>> this change? This question may have both a short term (for this
>>>> particular change) and long term answer.
>>>
>>> What about using LDAPI and autobind functionality? If the upgrade
>>> script is run locally as root, then it can autobind to "cn=Directory
>>> Manager" without requiring a password.
>>>
>> I like this idea, but I'm not sure how to accurately locate the
>> socket, because the name depends on the domain, e.g.
>> `/var/run/slapd-EXAMPLE-COM.socket'.
>
> I think the socket name would have to be provided by IPA via PKI
> deployment configuration.
That would work. The other alternative is that we could advertise it in
the root DSE.
>
> I'm just wondering how LDAPI with autobind would work with nuxwdog.
> Supposedly when nuxwdog is enabled the server can only be started by
> providing the NSS and LDAP database passwords. Does LDAPI with autobind
> make it less secure since the LDAP password is no longer required?
LDAPI still requires the server to be started to work. How does nuxwdog
fit into this issue?
>
> Also, LDAPI wouldn't work if the DS is on a different machine in general
> PKI deployment.
Correct.
>
> I created this page about PKI database upgrade:
> http://pki.fedoraproject.org/wiki/Database_Upgrade
>
>> Since the new schema is for now only used by and supported for IPA,
>> I think the immediate way forward is to provide the new schema LDIF
>> in the Dogtag package (as the current patch does), and have FreeIPA
>> use it to update the DS. I will have patch for IPA and updated
>> patch for Dogtag shortly.
>>
>> We will then work out what is the way forward for Dogtag to reliably
>> manage its schema updates in the variety of authentication
>> scenarios.
>>
>> Thanks,
>> Fraser
>
More information about the Freeipa-devel
mailing list