[Freeipa-devel] Need to figure out how to make a schema change

Nathan Kinder nkinder at redhat.com
Fri Jun 19 02:51:53 UTC 2015 


On 06/18/2015 07:08 PM, Endi Sukma Dewata wrote:
> On 6/18/2015 8:19 PM, Fraser Tweedale wrote:
>>>> In order for IPA to use some new functionality in Profile Management
>>>> and
>>>> Sub CAs, we need to add some additional schema to the Dogtag LDAP
>>>> instance.
>>>>
>>>> Fraser has written a Dogtag upgrade script to do this upgrade, but this
>>>> script expects the DM password to be in password.conf.  Some discussion
>>>> on this script can be found here ..
>>>>   https://www.redhat.com/archives/pki-devel/2015-June/msg00054.html
>>>>
>>>> In general, I think that while Dogtag will provide a database upgrade
>>>> framework and/or upgrade LDIF scripts, we will not - in general - know
>>>> how to connect to the DB with a user that has credentials to make
>>>> schema
>>>> changes.
>>>>
>>>> Fortunately, these types of changes are rare.  Note that in all the
>>>> years Dogtag has been part of IPA, this is the first time this
>>>> situation
>>>> has arisen.
>>>>
>>>> The question now though is - how can we co-ordinate with IPA to make
>>>> this change?  This question may have both a short term (for this
>>>> particular change) and long term answer.
>>>
>>> What about using LDAPI and autobind functionality?  If the upgrade
>>> script is run locally  as root, then it can autobind to "cn=Directory
>>> Manager" without requiring a password.
>>>
>> I like this idea, but I'm not sure how to accurately locate the
>> socket, because the name depends on the domain, e.g.
>> `/var/run/slapd-EXAMPLE-COM.socket'.
> 
> I think the socket name would have to be provided by IPA via PKI
> deployment configuration.

That would work.  The other alternative is that we could advertise it in
the root DSE.

> 
> I'm just wondering how LDAPI with autobind would work with nuxwdog.
> Supposedly when nuxwdog is enabled the server can only be started by
> providing the NSS and LDAP database passwords. Does LDAPI with autobind
> make it less secure since the LDAP password is no longer required?

LDAPI still requires the server to be started to work.  How does nuxwdog
fit into this issue?

> 
> Also, LDAPI wouldn't work if the DS is on a different machine in general
> PKI deployment.

Correct.

> 
> I created this page about PKI database upgrade:
> http://pki.fedoraproject.org/wiki/Database_Upgrade
> 
>> Since the new schema is for now only used by and supported for IPA,
>> I think the immediate way forward is to provide the new schema LDIF
>> in the Dogtag package (as the current patch does), and have FreeIPA
>> use it to update the DS.  I will have patch for IPA and updated
>> patch for Dogtag shortly.
>>
>> We will then work out what is the way forward for Dogtag to reliably
>> manage its schema updates in the variety of authentication
>> scenarios.
>>
>> Thanks,
>> Fraser
>

More information about the Freeipa-devel mailing list