mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-02-25 18:55:28 -06:00
09aa3d1f76
The ipa-cert-fix tool wraps `pki-server cert-fix`, performing additional certificate requests for non-Dogtag IPA certificates and performing additional actions. In particular: - Run cert-fix with arguments particular to the IPA deployment. - Update IPA RA certificate in the ipara user entry (if renewed). - Add shared certificates (if renewed) to the ca_renewal LDAP container for replication. - Become the CA renewal master if shared certificates were renewed. This ensures other CA replicas, including the previous CA renewal master if not the current host, pick up those new certificates when Certmonger attempts to renew them. Fixes: https://pagure.io/freeipa/issue/7885 Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Ground rules on adding new schema Brand new schema, particularly when written specifically for IPA, should be added in share/*.ldif. Any new files need to be explicitly loaded in ipaserver/install/dsinstance.py. These simply get copied directly into the new instance schema directory. Existing schema (e.g. in an LDAP draft) may either be added as a separate ldif in share or as an update in the updates directory. The advantage of adding the schema as an update is if 389-ds ever adds the schema then the installation won't fail due to existing schema failing to load during bootstrap. If the new schema requires a new container then this should be added to install/bootstrap-template.ldif.