[Pki-devel] [PATCH] 0057-Changes-to-use-standard-dbuser
Ade Lee
alee at redhat.com
Wed Sep 19 17:19:21 UTC 2012
Changes to use standard dbuser
We create a user that can be used to connect to the database using the
subsystem cert for client auth. We identified this user, using the seeAlso
attribute and provided certmap rules to this effect.
For this user, we used to reuse the uid = user CA-hostname-port, which is already
created for inter-system communication. But this is problematic if more than one
dbuser exists, as the directory server may bind as the incorrect user. In any
replication topology, there must be only one dbuser using the subsystem cert.
To simplify things, we create a new user specifically for this purpose
(pkidbuser), and we remove the seeAlso attribute from the older dbusers.
A script is needed to convert existing dogtag 9 istances to use the new user,
and set the relevant acls. This will be done in a separate commit.
Please review.
Ade
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pki-vakwetu-0057-Changes-to-use-standard-dbuser.patch
Type: text/x-patch
Size: 14849 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/pki-devel/attachments/20120919/70e8d544/attachment.bin>
More information about the Pki-devel
mailing list