[Pki-devel] [Freeipa-devel] [PATCH] - Add DRM to IPA
Endi Sukma Dewata
edewata at redhat.com
Wed Jul 16 15:12:01 UTC 2014
On 7/14/2014 4:45 AM, Ade Lee wrote:
> Hi all,
>
> I have rebased all the previous patches against master, and have squashed them all into a single patch.
> Its a large patch, but as many folks have already reviewed the constituent precursor patches, most if it
> should be familiar and easier to review.
>
> The main difference with what was specified before is that the DRM database is installed as a subtree
> to o=ipaca. This means that no new replication agreements will be needed to replicate DRM data.
> Replication agreements set up for the Dogtag CA will automatically replicate DRM data.
>
> In order for this patch to work, a new 10.2 build of Dogtag 10.2 is needed - with specific changes to
> allow the ability to install a database as a subtree of an existing tree. At this time, these
> changes have not yet been checked into the dogtag source. You can obtain such a build from:
>
> http://copr.fedoraproject.org/coprs/vakwetu/dogtag/build/21936/
>
> Please review,
>
> Thanks,
> Ade
Some comments/questions:
1. The suffix for the DRM is o=ipadrm,o=ipaca. It's probably better to
change it to ou=drm,o=ipaca since another "ipa" under o=ipaca would be
redundant. In the future we might want to migrate the current CA entries
into ou=ca,o=ipaca subtree so that ou=ca and ou=drm will be at the same
level, and keep o=ipaca as the parent tree for Dogtag subsystems.
Alternatively, we probably could merge o=ipaca and o=ipadrm since the
structure of each tree seems to have been designed to share the user and
groups, but still maintain separate structure for CA/KRA-specific
storage. The current Dogtag probably doesn't support this, but it's a
possibility with additional works.
2. If a clone doesn't have DRM installed but it's getting replicated DRM
data, is there any concern?
3. The Dogtag dependency should be updated to 10.2. Also the
dogtag_version and DOGTAG_VERSION variables are probably not granular
enough to detect the minor version. This message should be updated too:
Dogtag must be version 10.1 or above to install DRM
4. It's probably unnecessary to override the following methods in
CAInstance since they only call the base methods.
* enable()
* start_instance()
* stop_instance()
* restart_instance()
* http_proxy()
5. The following code in ipaserver/plugins/dogtag.py will no longer work
due to a recent change in Dogtag:
transport_cert = kraclient.system_certs.get_transport_cert()
tcert = transport_cert[
len(pki.CERT_HEADER):
len(transport_cert) - len(pki.CERT_FOOTER)]
crypto.import_cert(
self.transport_nick,
base64.decodestring(tcert), "u,u,u")
This is how it's used now in drmtest.py:
transport_cert = kraclient.system_certs.get_transport_cert()
print "Subject DN: " + transport_cert.subject_dn
print transport_cert.encoded
crypto.import_cert(transport_nick, transport_cert, "u,u,u")
6. The code in ipaserver/install/drminstance.py creates a file
/tmp/drm.p12. How long will this file stay in the /tmp folder? Should it
be moved into a more permanent location? If it's a temporary file, can
we use the python tempfile module?
--
Endi S. Dewata
More information about the Pki-devel
mailing list