Open pki-bot opened 4 years ago
pki-bot
commented
4 years ago Comment from cheimes (@tiran) at 2016-01-22 16:58:38
Good idea!
I suggest to implemented the feature in PKIDatabaseConnection and replace pki.server.deployment.pkiparser ldap code with an instance of PKIDatabaseConnection. pkiparser only checks if ldap connection works anyway.
pki-bot
commented
4 years ago Comment from mharmsen (@mharmsen) at 2016-02-01 18:39:58
As discussed in the IPA meeting -- moving this back to 10.3 and assigning it to tiran.
pki-bot
commented
4 years ago Comment from mharmsen (@mharmsen) at 2016-02-01 18:40:55
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1303687
pki-bot
commented
4 years ago Comment from mharmsen (@mharmsen) at 2016-04-21 00:33:34
Per CS Bug/Ticket Triage held 04/19/2016: 10.4
pki-bot
commented
4 years ago Comment from cheimes (@tiran) at 2016-09-16 13:12:49
Bruno Oliveira da Silva from the KeyCloak team has suggested jnr-unixsocket to me, https://github.com/jnr/jnr-unixsocket . It provides a Unix socket that provides java.net.Socket interface. The package and its dependencies are packaged in Fedora.
pki-bot
commented
4 years ago Comment from mharmsen (@mharmsen) at 2016-12-01 21:27:44
Per Offline Triage of 11/30/2016-12/01/2016: FUTURE - major
pki-bot
commented
4 years ago Comment from edewata (@edewata) at 2017-02-27 14:06:37
Metadata Update from @edewata:
pki-bot
commented
4 years ago Comment from mharmsen (@mharmsen) at 2018-04-10 16:44:02
Per 10.5.x/10.6 Triage: FUTURE
RHBZ: CLOSED UPSTREAM
pki-bot
commented
4 years ago Comment from mharmsen (@mharmsen) at 2018-04-10 16:44:03
Metadata Update from @mharmsen:
pki-bot
commented
4 years ago Comment from ftweedal (@frasertweedale) at 2019-03-06 00:11:42
The jnr-unixsocket library is in Fedora and is available in Red Hat DevTools (as a dependency of Eclipse). It is not in RHEL.
It entails the following dependencies which are also not in RHEL:
Here is a socket factory implementation (albeit based on the junixsocket library, not jnr-unixsocket): https://github.com/vt-middleware/ldaptive/blob/master/ldapi/src/main/java/org/ldaptive/ldapi/AFUnixSocketFactory.java.
pki-bot
commented
4 years ago Comment from ftweedal (@frasertweedale) at 2019-03-06 00:17:53
Side note: switching to LDAPI in Dogtag avoids two problems related to expired certificates, which affect FreeIPA deployments in particular:
expired LDAP TLS server certificate: Dogtag won't care and can still connect to database and operate
expired subsystem certificate: DS won't care. Dogtag will still have to be configured to ignore selftest failure but once that's done (and pki-server cert-fix can take care of that), it can authenticate to database and operate normally.
This issue was migrated from Pagure Issue #1585. Originally filed by edewata (@edewata) on 2015-08-25 18:10:25:
PKI should support LDAPI for locally installed DS (e.g. IPA). The LDAPI will provide faster and more secure connection to the DS compared to regular LDAP connections. It also eliminates the need to store the Directory Manager password in a file.
See also: https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/ldapi-enabling.html
Proposed milestone: 10.3