Re: [Pki-devel] replication of new/modified profiles
Thank you for all of the feedback on the LDAP profiles design.
There were a lot of interesting questions/comments/suggestions from
the Dogtag, FreeIPA and DS teams. Most of this feedback has been
incorporated into the wiki. Alternative suggestions have been moved
to the History section in favour of the most strongly favoured
solution: LDAP-only profiles, and no automatic upgrades of default
profiles.
http://pki.fedoraproject.org/wiki/LDAP_Profile_Storage
The other important change to the document is more information about
how refreshing the profiles will be done, when modifications are
replicated from other clones. Please review that section (and the
LDAP schema, as some new schema was added).
Finally, I have added my planned implementation steps to the
Implementation section, and without further ado, I am starting. Of
course, I welcome ongoing discussion of the design; it can be
tweaked as necessary.
Fraser
On Wed, Jun 18, 2014 at 05:44:19PM +1000, Fraser Tweedale wrote:
Hi all,
A requirement from the FreeIPA side is the ability to add and
customise CA profiles. Dogtag's current profile creation behaviour
writes the new profile to the filesystem beside the standard
profiles (as well as making the appropriate update to the registry,
etc.)
There does not seem to be a mechanism to distribute new/modified
profiles to replicas - though perhaps I have missed something.
Because this behaviour is required, unless I have overlooked
something or there is a better way (in which case please shout out),
I think it makes sense to begin a design proposal for an LDAP-based
profile store.
Finally, a brief mention of some tickets related to profile storage
that could be good to tackle simultaneously should the proposed
change go ahead:
- https://fedorahosted.org/pki/ticket/778
- https://fedorahosted.org/freeipa/ticket/4002
_______________________________________________
Pki-devel mailing list
Pki-devel(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-devel