[Freeipa-devel] [PATCH] 0053..0054 Configure lightweight CA key replication
Jan Cholasta
jcholast at redhat.com
Tue Apr 26 08:02:45 UTC 2016
On 21.4.2016 05:30, Fraser Tweedale wrote:
> On Thu, Apr 14, 2016 at 04:39:37PM +1000, Fraser Tweedale wrote:
>> Hi all,
>>
>> The attached patches configure lightweight CA key replication on IPA
>> CAs, on upgrade and installation.
>>
>> Patches 0051..0052 from my other mail are also needed for the system
>> to work, but this patchset does not depend on them and can be
>> reviewed independently.
>>
>> There is also no hard dependency on the (unreleased) Dogtag 10.3.0b1
>> - it just puts the necessary principals/keys/configuration in place.
>>
>> Cheers,
>> Fraser
>>
> New patches attached; 0054-2 changes the service name from
> 'dogtag-ipa-custodia' to just 'dogtag', and adds an ACI to allow the
> principal to search server Custodia keys.
Patch 53:
I'm not sure about this approach - the cn of custodia keys in LDAP is a
free-form string, I would not tie it to service names, but rather try to
keep it short.
In the key replication section of the design page, you mention
"ca/$NAME", I think this is a good template for the cn and that we
should stick to it.
Patch 54:
1) This belongs to CAInstance.configure_instance():
+ CA = cainstance.CAInstance(
+ api.env.realm, certs.NSS_DIR, host_name=api.env.host)
+ CA.setup_lightweight_ca_key_retrieval()
2) Any ACI changes should be in a separate patch. (What happened to
patch 52?)
3) This is not a platform constant, just a constant:
+ PKI_GSSAPI_SERVICE_NAME = 'dogtag'
4) CAInstance.setup_lightweight_ca_key_retrieval() does too much. Please
split it into a "setup keytab" and "setup custodia" parts.
5) This also belongs to CAInstance.configure_instance():
+ if setup_ca:
+ # CA was configured before Kerberos;
+ # add Custodia client princ and keys now
+ ca_instance.setup_lightweight_ca_key_retrieval()
In order for that to work, you need to move the ca.install_step_1()
after krb.create_instance(), but that should be OK, since KrbInstance
does not talk to the CA.
Honza
--
Jan Cholasta
More information about the Freeipa-devel
mailing list