[Freeipa-devel] [PATCH] Add DRM to IPA

Rob Crittenden rcritten at redhat.com
Tue Apr 15 15:41:24 UTC 2014

Ade Lee wrote:
> Attached a new patch to address some of the concerns below, specifically
> I created a new base class DogtagInstance, in which much of the common
> CA/KRA code is placed.  I'm sure we could go further in reducing
> duplication, and I'm open to further suggestions and refinements.
> I did not tackle the packaging and spec file dependencies, because I'd
> like some clearer direction on how we want to proceed here.  In any
> case, I think the splitting of the ipa packages into ca and possibly kra
> packages should be a separate patch.
> As before, with this patch you can:
> - install a ca and drm using ipa-server-install
> - install a ca and drm replica using
>     ipa-replica-prepare <hostname>
>     ipa-replica-install --setup-ca --setup-drm <replia file>
> You need to use a PKI build from the 10.2 (master) branch).  One such
> build is given below:
> http://copr.fedoraproject.org/coprs/vakwetu/dogtag/repo/fedora-20-x86_64/vakwetu-dogtag-fedora-20-x86_64.repo

The terms KRA and DRM tend to be used interchangeably. Should we pick one?

Need to bump the version number in install/conf/ipa-pki-proxy.conf so 
that upgrades get the new LocationMatch.

ipa-replica-install still uses the if/then to set the value of 
enable_drm when it can be reduced like you did in ipa-server-install.

In ipa-server-install you have an extra comment, probably left for 
yourself: # code to create drm here

In dogtaginstance.py there are a few direct references to DRM in 
comments and output.

cainstance.py doesn't need to override is_installed.py

I also don't think you need the explicit definitions for enable, 
start_instance, etc. Those should be inherited from the DogtagInstance 
class, in both cainstance.py and drminstance.py.

I think spawn_instance should take an option to add things to nolog in 
case there are server-independent things we don't want to log.

I don't want to pile too much on, but it seems to me that if we are 
going to copy in default.conf then we can do away with realm_info 
completely and just use default.conf. Both would need to be supported 
for a while though. Martin, what do you think?

I still have quite a bit of functional testing to go. I've only 
installed a fresh standalone master. Still need to do upgrade and 
replication testing.


More information about the Freeipa-devel mailing list