[Freeipa-devel] [PATCH] Add DRM to IPA

Ade Lee alee at redhat.com
Tue Apr 15 18:54:40 UTC 2014

Attached is a patch that adds the script ipa-drm-install.

This script will be used to install a drm in any ipa server that
contains a Dogtag CA.  Right now, it works for a master.  I will add
logic in a subsequent patch to allow the installation on a replica using
the same script.

This patch is to applied on top of the previous one.
So, patch 2 and then patch 3.

I will create a patch to address the issues mentioned below, as well as
some other formatting issues reported by pycharm.


On Tue, 2014-04-15 at 11:41 -0400, Rob Crittenden wrote:
> Ade Lee wrote:
> > Attached a new patch to address some of the concerns below, specifically
> > I created a new base class DogtagInstance, in which much of the common
> > CA/KRA code is placed.  I'm sure we could go further in reducing
> > duplication, and I'm open to further suggestions and refinements.
> >
> > I did not tackle the packaging and spec file dependencies, because I'd
> > like some clearer direction on how we want to proceed here.  In any
> > case, I think the splitting of the ipa packages into ca and possibly kra
> > packages should be a separate patch.
> >
> > As before, with this patch you can:
> > - install a ca and drm using ipa-server-install
> > - install a ca and drm replica using
> >     ipa-replica-prepare <hostname>
> >     ipa-replica-install --setup-ca --setup-drm <replia file>
> >
> > You need to use a PKI build from the 10.2 (master) branch).  One such
> > build is given below:
> > http://copr.fedoraproject.org/coprs/vakwetu/dogtag/repo/fedora-20-x86_64/vakwetu-dogtag-fedora-20-x86_64.repo
> The terms KRA and DRM tend to be used interchangeably. Should we pick one?
> Need to bump the version number in install/conf/ipa-pki-proxy.conf so 
> that upgrades get the new LocationMatch.
> ipa-replica-install still uses the if/then to set the value of 
> enable_drm when it can be reduced like you did in ipa-server-install.
> In ipa-server-install you have an extra comment, probably left for 
> yourself: # code to create drm here
> In dogtaginstance.py there are a few direct references to DRM in 
> comments and output.
> cainstance.py doesn't need to override is_installed.py
> I also don't think you need the explicit definitions for enable, 
> start_instance, etc. Those should be inherited from the DogtagInstance 
> class, in both cainstance.py and drminstance.py.
> I think spawn_instance should take an option to add things to nolog in 
> case there are server-independent things we don't want to log.
> I don't want to pile too much on, but it seems to me that if we are 
> going to copy in default.conf then we can do away with realm_info 
> completely and just use default.conf. Both would need to be supported 
> for a while though. Martin, what do you think?
> I still have quite a bit of functional testing to go. I've only 
> installed a fresh standalone master. Still need to do upgrade and 
> replication testing.
> rob

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0003-Added-ipa-drm-install.patch
Type: text/x-patch
Size: 22704 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140415/b1d3f952/attachment.bin>

More information about the Freeipa-devel mailing list