[Freeipa-devel] [PATCH] 0053..0054 Configure lightweight CA key replication

Jan Cholasta jcholast at redhat.com
Tue Apr 26 08:02:45 UTC 2016 

On 21.4.2016 05:30, Fraser Tweedale wrote:
> On Thu, Apr 14, 2016 at 04:39:37PM +1000, Fraser Tweedale wrote:
>> Hi all,
>>
>> The attached patches configure lightweight CA key replication on IPA
>> CAs, on upgrade and installation.
>>
>> Patches 0051..0052 from my other mail are also needed for the system
>> to work, but this patchset does not depend on them and can be
>> reviewed independently.
>>
>> There is also no hard dependency on the (unreleased) Dogtag 10.3.0b1
>> - it just puts the necessary principals/keys/configuration in place.
>>
>> Cheers,
>> Fraser
>>
> New patches attached;  0054-2 changes the service name from
> 'dogtag-ipa-custodia' to just 'dogtag', and adds an ACI to allow the
> principal to search server Custodia keys.

Patch 53:

I'm not sure about this approach - the cn of custodia keys in LDAP is a 
free-form string, I would not tie it to service names, but rather try to 
keep it short.

In the key replication section of the design page, you mention 
"ca/$NAME", I think this is a good template for the cn and that we 
should stick to it.


Patch 54:

1) This belongs to CAInstance.configure_instance():

+    CA = cainstance.CAInstance(
+            api.env.realm, certs.NSS_DIR, host_name=api.env.host)
+    CA.setup_lightweight_ca_key_retrieval()


2) Any ACI changes should be in a separate patch. (What happened to 
patch 52?)


3) This is not a platform constant, just a constant:

+    PKI_GSSAPI_SERVICE_NAME = 'dogtag'


4) CAInstance.setup_lightweight_ca_key_retrieval() does too much. Please 
split it into a "setup keytab" and "setup custodia" parts.


5) This also belongs to CAInstance.configure_instance():

+    if setup_ca:
+        # CA was configured before Kerberos;
+        # add Custodia client princ and keys now
+        ca_instance.setup_lightweight_ca_key_retrieval()

In order for that to work, you need to move the ca.install_step_1() 
after krb.create_instance(), but that should be OK, since KrbInstance 
does not talk to the CA.


Honza

-- 
Jan Cholasta

More information about the Freeipa-devel mailing list