[Freeipa-devel] update on freeipa 4.2 pki issues

Fraser Tweedale ftweedal at redhat.com
Wed Jun 17 11:09:11 UTC 2015 

On Wed, Jun 17, 2015 at 12:28:33PM +0200, thierry bordaz wrote:
> Hello Fraser,
> 
>    The schema is propagated on all replica. So if you update the
>    schema, the updates will be eventually present everywhere.
>    There is two ways to update the schema.
> 
>      * online update (prefered), you simply do a ldapmodify on
>        'cn=schema' adding/updating attributetypes/objectclasses
>      * offline. You stop a replica/master, update the schema files,
>        start the server. This is not the prefered solution because
>        depending on version of DS it can take more time to detect the
>        new schema and propagated it.
> 
>    Do you know how CS schema upgrade will be done (online/offline) ?
>    Is it the new definitions
>    http://www.freeipa.org/page/V4/Certificate_Profiles#Schema ?
> 
>    Thanks
>    thierry
> 
Thanks Thierry for your detailed reply!  The schema is actually
defined by Dogtag and is used only by the Dogtag directory tree
(under DN o=ipa-ca).  I will do an online update.

Cheers,
Fraser

> On 06/17/2015 07:52 AM, Martin Kosek wrote:
> >On 06/16/2015 06:39 PM, Fraser Tweedale wrote:
> >>I fixed several issues which broke Dogtag upgrades involving
> >>particular versions; these will be in the next release.
> >>
> >>I haven't yet gotten to to the reported failure running
> >>ipa-replica-upgrade on a replica (but I haven't forgotten about it
> >>either.)  This is the only issue affecting *fresh installs* that I
> >>am aware of.  If you know of others please let me know!
> >>
> >>The remaining Dogtag-related upgrade problem is caused by new DS
> >>schema on the Dogtag side, which is used for LDAP-based profiles.
> >>There is not yet an automatic schema upgrade facility for Dogtag, so
> >>the new schema was missing.
> >>
> >>The planned approach is:
> >>
> >>- Either Dogtag or FreeIPA will add the new CS schema on upgrade.
> >>   (Eventually Dogtag will need to manage its own schema updates but
> >>   right now there is no facility, and the new schema is only used by
> >>   IPA.)
> >
> >If possible, I would prefer Dogtag to update the schema the best it can,
> >otherwise there is a risk of collisions or upgrade breakages if FreeIPA
> >starts updating Dogtag internals.
> >
> >>- Migrate file-based profiles into LDAP during IPA upgrade.  But for
> >>   this to work, I need to make sure that if new schema is added,
> >>   then entries that use the new schema, replication to instances
> >>   that did not yet have the new schema will not break.  Anyone who
> >>   knows LDAP better than me, please share your knowledge!
> >
> >Shouldn't schema just replicate, when the first FreeIPA+CS is upgraded?
> >CCing Thierry for reference, he had a lot of fun with schema upgrades.
> >
> >>
> >>- If my assumptions about replication are wrong, the best approach
> >>   will probably be to have the administrator perform profile
> >>   migration (via a script) as a later task, after all replicas have
> >>   been upgraded.
> >
> >Not a fan of this, FreeIPA upgrades should be ideally automatic and
> >straightforward. So far we did not have problems with automatic upgrades
> >(well, except Dogtag9->Dogtag10 upgrade - I would prefer not to have such
> >situation again).
> >
> >Thanks for updates!
> >Martin
>

More information about the Freeipa-devel mailing list