[Pki-devel] replication of new/modified profiles
Fraser Tweedale
ftweedal at redhat.com
Mon Jul 7 07:08:05 UTC 2014
Thank you for all of the feedback on the LDAP profiles design.
There were a lot of interesting questions/comments/suggestions from
the Dogtag, FreeIPA and DS teams. Most of this feedback has been
incorporated into the wiki. Alternative suggestions have been moved
to the History section in favour of the most strongly favoured
solution: LDAP-only profiles, and no automatic upgrades of default
profiles.
http://pki.fedoraproject.org/wiki/LDAP_Profile_Storage
The other important change to the document is more information about
how refreshing the profiles will be done, when modifications are
replicated from other clones. Please review that section (and the
LDAP schema, as some new schema was added).
Finally, I have added my planned implementation steps to the
Implementation section, and without further ado, I am starting. Of
course, I welcome ongoing discussion of the design; it can be
tweaked as necessary.
Fraser
On Wed, Jun 18, 2014 at 05:44:19PM +1000, Fraser Tweedale wrote:
> Hi all,
>
> A requirement from the FreeIPA side is the ability to add and
> customise CA profiles. Dogtag's current profile creation behaviour
> writes the new profile to the filesystem beside the standard
> profiles (as well as making the appropriate update to the registry,
> etc.)
>
> There does not seem to be a mechanism to distribute new/modified
> profiles to replicas - though perhaps I have missed something.
>
> Because this behaviour is required, unless I have overlooked
> something or there is a better way (in which case please shout out),
> I think it makes sense to begin a design proposal for an LDAP-based
> profile store.
>
> Finally, a brief mention of some tickets related to profile storage
> that could be good to tackle simultaneously should the proposed
> change go ahead:
>
> - https://fedorahosted.org/pki/ticket/778
> - https://fedorahosted.org/freeipa/ticket/4002
>
> _______________________________________________
> Pki-devel mailing list
> Pki-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-devel
More information about the Pki-devel
mailing list