[Freeipa-users] Using already running dogtag-instance possible?

Rob Crittenden rcritten at redhat.com
Fri Apr 16 13:43:52 UTC 2010 

Oliver Burtchen wrote:
> Hi Dmitri,
> hi Rob,
> 
> first of all, thanks for your support and the detailed answers. It makes it 
> clearer to me what the goal of freeipa is. I think it would fit exactly my 
> needs for a new soho installation (managing round about 20 clients, some 
> laptops and often changing employees), if some issues can be solved. I'll try 
> to answer to you both together.
> 
> Just to remember, I'm using the latest IPA V2 from the repository 
> http://jdennis.fedorapeople.org/ipa-devel/fedora/12/...  I found that in the 
> docs and hope its the best source. And I'm using a clean F12 installation with 
> all updates.

I don't know about "best" but it is basically our daily builds. So buyer 
beware :-)

> I started to fiddle around with the installation process, because it breaks by 
> bug a)  after solving it I saw bug b), and so on..  ;-)  After that, I came to 
> the conclusion it would be better to setup dns and dogtag by hand. But it 
> would be great just to use ipa-server-install. So here are my observations 
> with hopefully helpful solution-hints, as I wrote them down for myself.
> 
> By the way, thanks for the great work to the FreeIPA-Team so far.
> 
> 
> Bugs and solution-hints:
> 
> a)
> The installation-process of pki/dogtag (pkicreate/pkisilent) throws an 
> exception and breaks down documented in the logs, if the locale is different 
> from „en“. This is not because of missing translations, but because of a wrong 
> use of java-load-resources (filenames) in the pki-sources, so it does not find 
> the english fallbacks (which are the only ones for now, what is okay). As I 
> described in this bugreport 
> https://bugzilla.redhat.com/show_bug.cgi?id=441974#c34  it is very obviously 
> and easy to fix, but now pending for 2 years.

Hmm, it seems like this should have been fixed in 
https://bugzilla.redhat.com/show_bug.cgi?id=442310 .
I think the best thing to do would be to open a new bug and reference 
this old one. Bug 441974 is currently closed so is likely not on 
anyone's radar.

> 
> And the dogtag 
> Known Issues: Problems and Solutions – page 
> 
> http://pki.fedoraproject.org/wiki/PKI_Known_Issues
> 
> just says: „Change LC_CTYPE to en_US before starting and everything will 
> work“.
> 
> Okay, I understand. Sounds a little bit like what I heard often: Change 
> OS_TYPE to MS before starting and everything will work. Just kidding.  ;-)
> 
> But it should not be difficult to change a handfull of  filenames, so this great 
> peace of software would work all over the world, not just in the english 
> locale. I don't want to comment this any further.  ;-)

Yes, I wasn't aware of this restriction myself. I think it is definitely 
something that should be addressed. We are trying to be UTF-8 friendly 
in v2 and currently have 8 or 9 translations of the IPA management 
framework (though no German translation yet).

For a short-term fix would it be acceptable if we set LC_CTYPE to en_US 
when installing dogtag?

> 
> b) 
> Using „ipa-server-install --setup-dns“, the SOA Records in DNS are wrong. 
> 
> There are missing trailing dots for server-name und email, at reverse-zone 
> also in the zone-name. To look at this, just use dig and dig -x on domain, 
> changing it directly in ldap corrects it..
> 
> Should be easy to fix in ipaserver/install/bindinstance.py

Martin, can you look into this? I filed 
https://bugzilla.redhat.com/show_bug.cgi?id=583023

> 
> c)
> manpage ipa-server-install(1): there is no short-option -U for --uninstall, 
> it's bogus with --unattended
> 

Gah, good catch. I pushed this as a one-liner fix.

> 
> 
> 
> Thoughts and wishes which could be realized with no big effort:
> 
> d)
> Email for zone-manager in bind-setup should be asked/customizeable 
> (root at domain.name is IMHO not a good choice). Maybe this option/answer should 
> also be used as „o=IPA,e=manager at domain.name“ in base-subject for certificates, 
> when –subject is not set by user.

We do something similar when installing dogtag. We set -admin_email to 
root at localhost.

I filed https://bugzilla.redhat.com/show_bug.cgi?id=583027

> e)
> To me, ipa is more an organisational unit, not the organisation of an 
> individual soho ipa installation. IMHO a better choice for the default subject 
> (if not given by option) used by certificates would be „o=Local Security 
> Domain,ou=IPA,e=manager at domain.name". This could be academic  ;-)  , but it's 
> easier to find the certs in an certificate manager (firefox for example), and it 
> is clearer that there is no official/global IPA CA or trust center with the name 
> IPA.

Yeah, my picking o=IPA was truly arbitrary. I'm open to further 
suggestions. By "Local Security Domain" do you mean substitute the 
domain name for this or literally use that string?

> f)
> The default valid-range in dogtag for ca-signing cert is 2 years, others are a 
> half year. This is a little bit short. Signing certs for a ca are normaly good 
> for 10 years, and if I think about the release-schedule und updates of fedora, 
> the cert for clients/servers should be valid for at least 1 ½ year in this 
> context.

I'll let the dogtag guys comment on this. I agree that 2 years for a CA 
sounds a bit short.

> Thoughts and wishes for the future:
> 
> g)
> Currently only SHA1withRSA is used/supported by the pkisilent installation, 
> but it is a little bit outdated. Despite this, the dogtag-system supports the 
> successors like SHA256, etc. out of the box. There was a discussion about it 
> here:
> 
> https://www.redhat.com/archives/pki-users/2010-April/msg00007.html
> 
> Currently you have to renewal your initial certs with dogtag by hand, to get 
> this modern hash-alg. It would be nice, if  ipa-server-install would give an 
> option to choose the hash-alg as soon, as pkisilent does. 

Yes, I think that if they add this capability we would want to take 
advantage of it.

> Okay, hope it was not to much for one posting,
> best regards,
> Oli

This is great feedback, thanks!

rob

> 
> 
> 
> 
> 
> Am Dienstag, 13. April 2010 19:58:23 schrieb Rob Crittenden:
>> Oliver Burtchen wrote:
>>> Hi Rob,
>>>
>>> thanks for the answer. I know about the externel CA-Cert possibility of
>>> ipa- server- install. But it does not what I want.
>>>
>>> I did setup a dogtag ca and a fedora-ds (389). It would be nice, if
>>> freeipa could just use them. I find it a little bit inconsitent that
>>> dogtag tries to be a central service, and freeipa claims to be the same,
>>> setting up a new one.
>> Well, it gets tricky because we need an RA certificate in IPA and there
>> is no automated way to get this with an existing dogtag installation.
>> This is why making IPA a subordinate CA is suggested, so you can
>> continue with your existing central authority.
>>
>> I'm sure it's possible to wedge in an existing dogtag instance, it would
>> just take a bit of work and lots of code reading. Among the things you'd
>> have to do are:
>>
>> - change the dogtag ports in IPA
>> - have your CA issue an RA certificate and trust that user in the
>> existing CA
>> - load that RA cert and private key into /etc/httpd/alias using the
>> right nickname
>> - set the right CA type in /etc/ipa/default.conf on the IPA server
>>
>> Perhaps some other things I'm missing. I'm not sure how cloning will
>> work in this case.
>>
>>> BTW.: Freeipa setup tells me, that it should be the only 389-instance,
>>> and exist gracefully. Well, my dogtag and bind setup with 389-backend
>>> works quiet well, i just want freeipa to use them.
>> IPA is really geared for configuration on a fresh install. We have to
>> touch so many things the installation is difficult as it is. Having to
>> integrate with a lot of existing services makes this doubly more
>> difficult. You can always disable the check (only via code now, no
>> arguments for this).
>>
>>> Is there a possibility to setup freeipa this way? Thanks for the all in
>>> one setup, but it means I cannot run an other ldap (389)
>>> server(-instance) on a machine where freeipa is running. Is this right?
>> You can't if it is already installed, at least not without a small code
>> change.
>>
>> We have to use the 80/20 rule here and try to have some control over the
>>   initial environment before trying the installation. It is probably
>> possible to do what you want given time and patience but we are unlikely
>> to do this in the near future.
>>
>> rob
>>
>>> Best regards,
>>> Oli
>>>
>>> Am Freitag, 9. April 2010 23:42:54 schrieb Rob Crittenden:
>>>> Oliver Burtchen wrote:
>>>>> Hi @all,
>>>>>
>>>>> is it possible to use an already configured und running dogtag-instance
>>>>> for freeipa V2 in the installation process? I would like to give
>>>>> ipa-server- install just the params for the dogtag-instance/server to
>>>>> use, and skip its own creation-process (pkisilence ...).
>>>>>
>>>>> Or are there arguments for an extra CA used by freeipa?
>>>>>
>>>>> Background: I customized dogtag for my needs (using SHA256, default to
>>>>> 10 year validity of ca-SigningCert, organization and location defaults,
>>>>> etc. ).
>>>>>
>>>>> Best regards,
>>>>> Oli
>>>> Probably the best way to do it would be to use the external CA install
>>>> option (--external-ca). This is a two-step installation process. The
>>>> first step generates a CSR for the IPA CA. You take this CSR to your
>>>> existing CA and issue a subordinate CA certificate that will be used by
>>>> IPA. Then you continue the IPA Installation and it sets up a separate
>>>> dogtag instance with this subordinate CA.
>>>>
>>>> It might be possible to wedge in an existing dogtag install into IPA in
>>>> another way but I haven't yet tried it.
>>>>
>>>> rob
>

More information about the Freeipa-users mailing list