[Freeipa-users] Using already running dogtag-instance possible?
Oliver Burtchen
o.burtchen at gmx.de
Fri Apr 16 22:34:00 UTC 2010
Am Freitag, 16. April 2010 15:43:52 schrieb Rob Crittenden:
> ...
> > Just to remember, I'm using the latest IPA V2 from the repository
> > http://jdennis.fedorapeople.org/ipa-devel/fedora/12/... I found that in
> > the docs and hope its the best source. And I'm using a clean F12
> > installation with all updates.
>
> I don't know about "best" but it is basically our daily builds. So buyer
> beware :-)
I'm aware of this. ;-)
> ...
> Hmm, it seems like this should have been fixed in
> https://bugzilla.redhat.com/show_bug.cgi?id=442310 .
> I think the best thing to do would be to open a new bug and reference
> this old one. Bug 441974 is currently closed so is likely not on
> anyone's radar.
Okay, I reported a new one:
https://bugzilla.redhat.com/show_bug.cgi?id=583177
It's just I'm not a fan of flooding bugzilla with same reports.
> ...
> Yes, I wasn't aware of this restriction myself. I think it is definitely
> something that should be addressed. We are trying to be UTF-8 friendly
> in v2 and currently have 8 or 9 translations of the IPA management
> framework (though no German translation yet).
>
> For a short-term fix would it be acceptable if we set LC_CTYPE to en_US
> when installing dogtag?
I agree with it as a work around. Best practice IMHO would be:
Insert a "LANG=en_US" at top in /etc/init.d/pki-cad
an run pkicreate/pkisilent/pkiremove/... as
# LANG=en_US pkicreate ...
in ipa-server-install and friends.
>
> > b)
> > Using „ipa-server-install --setup-dns“, the SOA Records in DNS are wrong.
> >
> > There are missing trailing dots for server-name und email, at
> > reverse-zone also in the zone-name. To look at this, just use dig and dig
> > -x on domain, changing it directly in ldap corrects it..
> >
> > Should be easy to fix in ipaserver/install/bindinstance.py
>
> Martin, can you look into this? I filed
> https://bugzilla.redhat.com/show_bug.cgi?id=583023
> ...
> > c)
> > manpage ipa-server-install(1): there is no short-option -U for
> > --uninstall, it's bogus with --unattended
>
> Gah, good catch. I pushed this as a one-liner fix.
Great, thanks. Btw, is it better to report such things in bugzilla, here on
the list, or both? As I said, I'm not a fan of flooding bugzilla.
>
> > Thoughts and wishes which could be realized with no big effort:
> >
> > d)
> > Email for zone-manager in bind-setup should be asked/customizeable
> > (root at domain.name is IMHO not a good choice). Maybe this option/answer
> > should also be used as „o=IPA,e=manager at domain.name“ in base-subject for
> > certificates, when –subject is not set by user.
>
> We do something similar when installing dogtag. We set -admin_email to
> root at localhost.
>
> I filed https://bugzilla.redhat.com/show_bug.cgi?id=583027
Thanks!
>
> > e)
> > To me, ipa is more an organisational unit, not the organisation of an
> > individual soho ipa installation. IMHO a better choice for the default
> > subject (if not given by option) used by certificates would be „o=Local
> > Security Domain,ou=IPA,e=manager at domain.name". This could be academic
> > ;-) , but it's easier to find the certs in an certificate manager
> > (firefox for example), and it is clearer that there is no official/global
> > IPA CA or trust center with the name IPA.
>
> Yeah, my picking o=IPA was truly arbitrary. I'm open to further
> suggestions. By "Local Security Domain" do you mean substitute the
> domain name for this or literally use that string?
Well, I looked around a little bit, there seams no reserved or common
dn/subject-name or something like this for local/private installs of a ca. I
only found a rfc about reserved domain names for local installs:
http://tools.ietf.org/html/rfc2606
So my best guesses, if we don't want to ask the user for the organization name
(but asking would be great):
literally use "o=Local Security Domain,ou=FreeIPA,e=..." or
literally use "o=Localhost Security Domain,ou=FreeIPA,e=..." or
"o=<domain> Security Domain,ou=FreeIPA,e=..."
where in the last example <domain> should be replaced with the FQDN (without
server) or the uppercase kerberos realm.
Best regards,
Oli
>
> > f)
> > The default valid-range in dogtag for ca-signing cert is 2 years, others
> > are a half year. This is a little bit short. Signing certs for a ca are
> > normaly good for 10 years, and if I think about the release-schedule und
> > updates of fedora, the cert for clients/servers should be valid for at
> > least 1 ½ year in this context.
>
> I'll let the dogtag guys comment on this. I agree that 2 years for a CA
> sounds a bit short.
>
> > Thoughts and wishes for the future:
> >
> > g)
> > Currently only SHA1withRSA is used/supported by the pkisilent
> > installation, but it is a little bit outdated. Despite this, the
> > dogtag-system supports the successors like SHA256, etc. out of the box.
> > There was a discussion about it here:
> >
> > https://www.redhat.com/archives/pki-users/2010-April/msg00007.html
> >
> > Currently you have to renewal your initial certs with dogtag by hand, to
> > get this modern hash-alg. It would be nice, if ipa-server-install would
> > give an option to choose the hash-alg as soon, as pkisilent does.
>
> Yes, I think that if they add this capability we would want to take
> advantage of it.
>
> > Okay, hope it was not to much for one posting,
> > best regards,
> > Oli
>
> This is great feedback, thanks!
>
> rob
>
> > Am Dienstag, 13. April 2010 19:58:23 schrieb Rob Crittenden:
> >> Oliver Burtchen wrote:
> >>> Hi Rob,
> >>>
> >>> thanks for the answer. I know about the externel CA-Cert possibility of
> >>> ipa- server- install. But it does not what I want.
> >>>
> >>> I did setup a dogtag ca and a fedora-ds (389). It would be nice, if
> >>> freeipa could just use them. I find it a little bit inconsitent that
> >>> dogtag tries to be a central service, and freeipa claims to be the
> >>> same, setting up a new one.
> >>
> >> Well, it gets tricky because we need an RA certificate in IPA and there
> >> is no automated way to get this with an existing dogtag installation.
> >> This is why making IPA a subordinate CA is suggested, so you can
> >> continue with your existing central authority.
> >>
> >> I'm sure it's possible to wedge in an existing dogtag instance, it would
> >> just take a bit of work and lots of code reading. Among the things you'd
> >> have to do are:
> >>
> >> - change the dogtag ports in IPA
> >> - have your CA issue an RA certificate and trust that user in the
> >> existing CA
> >> - load that RA cert and private key into /etc/httpd/alias using the
> >> right nickname
> >> - set the right CA type in /etc/ipa/default.conf on the IPA server
> >>
> >> Perhaps some other things I'm missing. I'm not sure how cloning will
> >> work in this case.
> >>
> >>> BTW.: Freeipa setup tells me, that it should be the only 389-instance,
> >>> and exist gracefully. Well, my dogtag and bind setup with 389-backend
> >>> works quiet well, i just want freeipa to use them.
> >>
> >> IPA is really geared for configuration on a fresh install. We have to
> >> touch so many things the installation is difficult as it is. Having to
> >> integrate with a lot of existing services makes this doubly more
> >> difficult. You can always disable the check (only via code now, no
> >> arguments for this).
> >>
> >>> Is there a possibility to setup freeipa this way? Thanks for the all in
> >>> one setup, but it means I cannot run an other ldap (389)
> >>> server(-instance) on a machine where freeipa is running. Is this right?
> >>
> >> You can't if it is already installed, at least not without a small code
> >> change.
> >>
> >> We have to use the 80/20 rule here and try to have some control over the
> >> initial environment before trying the installation. It is probably
> >> possible to do what you want given time and patience but we are unlikely
> >> to do this in the near future.
> >>
> >> rob
> >>
> >>> Best regards,
> >>> Oli
> >>>
> >>> Am Freitag, 9. April 2010 23:42:54 schrieb Rob Crittenden:
> >>>> Oliver Burtchen wrote:
> >>>>> Hi @all,
> >>>>>
> >>>>> is it possible to use an already configured und running
> >>>>> dogtag-instance for freeipa V2 in the installation process? I would
> >>>>> like to give ipa-server- install just the params for the
> >>>>> dogtag-instance/server to use, and skip its own creation-process
> >>>>> (pkisilence ...).
> >>>>>
> >>>>> Or are there arguments for an extra CA used by freeipa?
> >>>>>
> >>>>> Background: I customized dogtag for my needs (using SHA256, default
> >>>>> to 10 year validity of ca-SigningCert, organization and location
> >>>>> defaults, etc. ).
> >>>>>
> >>>>> Best regards,
> >>>>> Oli
> >>>>
> >>>> Probably the best way to do it would be to use the external CA install
> >>>> option (--external-ca). This is a two-step installation process. The
> >>>> first step generates a CSR for the IPA CA. You take this CSR to your
> >>>> existing CA and issue a subordinate CA certificate that will be used
> >>>> by IPA. Then you continue the IPA Installation and it sets up a
> >>>> separate dogtag instance with this subordinate CA.
> >>>>
> >>>> It might be possible to wedge in an existing dogtag install into IPA
> >>>> in another way but I haven't yet tried it.
> >>>>
> >>>> rob
>
--
Oliver Burtchen, Berlin
More information about the Freeipa-users
mailing list