freeipa/install
Rob Crittenden 0708f603e2 renew_ca_cert: skip removing non-CA certs, fix nickname
This script deletes all CA certificates so a new chain
can be loaded. It identified CA certs by those that did
not have private keys. This change adds the  ca_flags test
in as well. It is probably sufficient on its own but it
is left for compatibility.

An HSM-based NSS database when not accessing it with the
token will not contain the private keys so removing all
certificates without a private key will remove certificates
that it shouldn't. The NSS softoken stores the certifcate
trust so the certificates will be visible but they lack
private keys because those reside in the HSM. Therefore
deleting any certificate without a private key removed
nearly everything.

Preserve the nickname 'caSigningCert cert-pki-ca'. The
certstore uses the nickame format '{REALM} IPA CA' and
will replace the PKI-named key if we don't act to
preserve it.

Fixes: https://pagure.io/freeipa/issue/9273

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2024-05-16 08:46:32 -04:00
..
certmonger pylint: Fix useless-suppression 2022-03-11 13:37:08 -05:00
custodia Replace PYTHONSHEBANG with valid shebang 2019-06-24 09:35:57 +02:00
html Change FreeIPA references to IPA and Identity Management 2021-01-21 13:51:45 +01:00
migration pylint: Replace deprecated cgi module 2023-01-10 08:30:58 +01:00
oddjob ipa config: add --enable-sid option 2021-11-02 10:11:28 +01:00
restart_scripts renew_ca_cert: skip removing non-CA certs, fix nickname 2024-05-16 08:46:32 -04:00
share Add LDAP attribute ipaCaHSMConfiguration to store HSM state 2024-05-16 08:46:32 -04:00
tools Add HSM configuration options to installer scripts 2024-05-16 08:46:32 -04:00
ui webui: Unify user group members columns with users columns 2024-01-12 15:26:45 +01:00
updates updates: add ACIs for RBCD self-management 2023-09-11 09:51:51 +02:00
wsgi wgi/plugins.py: ignore empty plugin directories 2020-11-06 16:38:37 -05:00
Makefile.am Move Custodia secrets handler to scripts 2019-04-26 12:09:22 +02:00
README.schema Add some basic rules for adding new schema 2010-08-27 13:40:37 -04:00

Ground rules on adding new schema

Brand new schema, particularly when written specifically for IPA, should be
added in share/*.ldif. Any new files need to be explicitly loaded in
ipaserver/install/dsinstance.py. These simply get copied directly into
the new instance schema directory.

Existing schema (e.g. in an LDAP draft) may either be added as a separate
ldif in share or as an update in the updates directory. The advantage of
adding the schema as an update is if 389-ds ever adds the schema then the
installation won't fail due to existing schema failing to load during
bootstrap.

If the new schema requires a new container then this should be added
to install/bootstrap-template.ldif.