mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-02-25 18:55:28 -06:00
a087d82e78
PKIConnection now defaults to specifying verify=True. We've introduced a new parameter, cert_paths, to specify additional paths (directories or files) to load as certificates. Specify the IPA CA certificate file so we can guarantee connections succeed and validate the peer's certificate. Point to IPA CA certificate during pkispawn Bump pki_version to 10.9.0-0.4 (aka -b2) Fixes: https://pagure.io/freeipa/issue/8379 Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1849155 Related: https://github.com/dogtagpki/pki/pull/443 Related: https://bugzilla.redhat.com/show_bug.cgi?id=1426572 Signed-off-by: Alexander Scheel <ascheel@redhat.com> Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com>
Ground rules on adding new schema Brand new schema, particularly when written specifically for IPA, should be added in share/*.ldif. Any new files need to be explicitly loaded in ipaserver/install/dsinstance.py. These simply get copied directly into the new instance schema directory. Existing schema (e.g. in an LDAP draft) may either be added as a separate ldif in share or as an update in the updates directory. The advantage of adding the schema as an update is if 389-ds ever adds the schema then the installation won't fail due to existing schema failing to load during bootstrap. If the new schema requires a new container then this should be added to install/bootstrap-template.ldif.