Hi all,
A requirement from the FreeIPA side is the ability to add and
customise CA profiles. Dogtag's current profile creation behaviour
writes the new profile to the filesystem beside the standard
profiles (as well as making the appropriate update to the registry,
etc.)
There does not seem to be a mechanism to distribute new/modified
profiles to replicas - though perhaps I have missed something.
Because this behaviour is required, unless I have overlooked
something or there is a better way (in which case please shout out),
I think it makes sense to begin a design proposal for an LDAP-based
profile store.
Finally, a brief mention of some tickets related to profile storage
that could be good to tackle simultaneously should the proposed
change go ahead:
-
https://fedorahosted.org/pki/ticket/778
-
https://fedorahosted.org/freeipa/ticket/4002