[Pki-devel] [Freeipa-devel] [PATCH] - Add DRM to IPA

Endi Sukma Dewata edewata at redhat.com
Wed Jul 16 15:12:01 UTC 2014 

On 7/14/2014 4:45 AM, Ade Lee wrote:
> Hi all,
>
> I have rebased all the previous patches against master, and have squashed them all into a single patch.
> Its a large patch, but as many folks have already reviewed the constituent precursor patches, most if it
> should be familiar and easier to review.
>
> The main difference with what was specified before is that the DRM database is installed as a subtree
> to o=ipaca.  This means that no new replication agreements will be needed to replicate DRM data.
> Replication agreements set up for the Dogtag CA will automatically replicate DRM data.
>
> In order for this patch to work, a new 10.2 build of Dogtag 10.2 is needed - with specific changes to
> allow the ability to install a database as a subtree of an existing tree.  At this time, these
> changes have not yet been checked into the dogtag source.   You can obtain such a build from:
>
> http://copr.fedoraproject.org/coprs/vakwetu/dogtag/build/21936/
>
> Please review,
>
> Thanks,
> Ade

Some comments/questions:

1. The suffix for the DRM is o=ipadrm,o=ipaca. It's probably better to 
change it to ou=drm,o=ipaca since another "ipa" under o=ipaca would be 
redundant. In the future we might want to migrate the current CA entries 
into ou=ca,o=ipaca subtree so that ou=ca and ou=drm will be at the same 
level, and keep o=ipaca as the parent tree for Dogtag subsystems.

Alternatively, we probably could merge o=ipaca and o=ipadrm since the 
structure of each tree seems to have been designed to share the user and 
groups, but still maintain separate structure for CA/KRA-specific 
storage. The current Dogtag probably doesn't support this, but it's a 
possibility with additional works.

2. If a clone doesn't have DRM installed but it's getting replicated DRM 
data, is there any concern?

3. The Dogtag dependency should be updated to 10.2. Also the 
dogtag_version and DOGTAG_VERSION variables are probably not granular 
enough to detect the minor version. This message should be updated too:

   Dogtag must be version 10.1 or above to install DRM

4. It's probably unnecessary to override the following methods in 
CAInstance since they only call the base methods.
* enable()
* start_instance()
* stop_instance()
* restart_instance()
* http_proxy()

5. The following code in ipaserver/plugins/dogtag.py will no longer work 
due to a recent change in Dogtag:

     transport_cert = kraclient.system_certs.get_transport_cert()
     tcert = transport_cert[
         len(pki.CERT_HEADER):
         len(transport_cert) - len(pki.CERT_FOOTER)]

     crypto.import_cert(
         self.transport_nick,
         base64.decodestring(tcert), "u,u,u")

This is how it's used now in drmtest.py:

     transport_cert = kraclient.system_certs.get_transport_cert()
     print "Subject DN: " + transport_cert.subject_dn
     print transport_cert.encoded
     crypto.import_cert(transport_nick, transport_cert, "u,u,u")

6. The code in ipaserver/install/drminstance.py creates a file 
/tmp/drm.p12. How long will this file stay in the /tmp folder? Should it 
be moved into a more permanent location? If it's a temporary file, can 
we use the python tempfile module?

-- 
Endi S. Dewata

More information about the Pki-devel mailing list