PKI should support LDAPI for locally installed DS (e.g. IPA). The LDAPI will provide faster and more secure connection to the DS compared to regular LDAP connections. It also eliminates the need to store the Directory Manager password in a file.
See also: https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/ldapi-enabling.html
Proposed milestone: 10.3
Good idea!
I suggest to implemented the feature in PKIDatabaseConnection and replace pki.server.deployment.pkiparser ldap code with an instance of PKIDatabaseConnection. pkiparser only checks if ldap connection works anyway.
PKIDatabaseConnection
pki.server.deployment.pkiparser
As discussed in the IPA meeting -- moving this back to 10.3 and assigning it to cheimes.
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1303687
Per CS Bug/Ticket Triage held 04/19/2016: 10.4
Bruno Oliveira da Silva from the KeyCloak team has suggested jnr-unixsocket to me, https://github.com/jnr/jnr-unixsocket . It provides a Unix socket that provides java.net.Socket interface. The package and its dependencies are packaged in Fedora.
java.net.Socket
Per Offline Triage of 11/30/2016-12/01/2016: FUTURE - major
Metadata Update from @edewata: - Issue assigned to cheimes - Issue set to the milestone: FUTURE
Per 10.5.x/10.6 Triage: FUTURE
RHBZ: CLOSED UPSTREAM
Metadata Update from @mharmsen: - Custom field feature adjusted to None - Custom field proposedpriority adjusted to None - Custom field reviewer adjusted to None - Custom field rhbz reset (from https://bugzilla.redhat.com/show_bug.cgi?id=1303687) - Custom field version adjusted to None - Issue close_status updated to: None
The jnr-unixsocket library is in Fedora and is available in Red Hat DevTools (as a dependency of Eclipse). It is not in RHEL.
It entails the following dependencies which are also not in RHEL:
Here is a socket factory implementation (albeit based on the junixsocket library, not jnr-unixsocket): https://github.com/vt-middleware/ldaptive/blob/master/ldapi/src/main/java/org/ldaptive/ldapi/AFUnixSocketFactory.java.
Side note: switching to LDAPI in Dogtag avoids two problems related to expired certificates, which affect FreeIPA deployments in particular:
expired LDAP TLS server certificate: Dogtag won't care and can still connect to database and operate
expired subsystem certificate: DS won't care. Dogtag will still have to be configured to ignore selftest failure but once that's done (and pki-server cert-fix can take care of that), it can authenticate to database and operate normally.
pki-server cert-fix
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/2144
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Metadata Update from @dmoluguw: - Issue close_status updated to: migrated - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.