[Freeipa-devel] should server install be done in two stages?

[Karl MacMillan]

On Mon, 2007-11-12 at 15:09 -0500, John Dennis wrote:
> Let me throw out an idea, see if it rings true ...
> 
> We seem to have a somewhat awkward install scenario that I think is in 
> part due to the lack of a "post install" step, but maybe I'm just not 
> understanding the architecture well enough. Here's the issues:
> 
> We use LDAP for our backend, some ipa components need to modify the 
> contents of our dirsrv instance or modify it's configuration. We have a 
> nice interface in ipaldap.py for connecting to the server 
> adding/modifying entries. But we're not using that interface during 
> server install, I assume because we haven't bootstrapped far enough to 
> be able to bind to our ds instance as the admin. But imagine if we had...
> 
> Right now we're getting around this problem with a proliferation of ldif 
> template files in /usr/share/ipa and passing them to /usr/bin/ldapmodify 
> with the admin password. IMHO its a bit awkward, probably doesn't scale 
> gracefully, and its probably not the best mechanism to take into account 
> site wide defaults.
> 
> I'm finding for the radius stuff, and I think this has general 
> application, a lot of what I want to do to initially set things up is 
> not really bootstrapping, rather it's things I'd like to do by calling 
> our LDAP API (e.g. add/modify entries). I could use the LDAP API if we 
> had completed the bootstrapping stage. Suppose IPA components were 
> installed/instantiated in two steps instead of just one, bootstrap and 
> postinstall.
> 

No reason to have the two-step process. After the DS instance is created
- which is the first step - you are free to bind to the directory and
make changes. In fact, the krb tools do just that and that's what I'm
doing in the replication setup. All you need to do is to pass down the
directory manager password to do the simple bind.

Karl