summaryrefslogtreecommitdiffstats
path: root/base/console
diff options
context:
space:
mode:
authorAde Lee <alee@redhat.com>2012-09-19 12:37:41 -0400
committerAde Lee <alee@redhat.com>2012-09-19 22:20:34 -0400
commite1666df57fb49b4c2c20563559cd2a7450a6f9f4 (patch)
tree8b372320ca55260d777c815dae104ef05ad7f240 /base/console
parent9173b431751486018957428e67392a4a94a86baf (diff)
downloadpki-e1666df57fb49b4c2c20563559cd2a7450a6f9f4.tar.gz
pki-e1666df57fb49b4c2c20563559cd2a7450a6f9f4.tar.xz
pki-e1666df57fb49b4c2c20563559cd2a7450a6f9f4.zip
Changes to use standard dbuser
We create a user that can be used to connect to the database using the subsystem cert for client auth. We identified this user, using the seeAlso attribute and provided certmap rules to this effect. For this user, we used to reuse the uid = user CA-hostname-port, which is already created for inter-system communication. But this is problematic if more than one dbuser exists, as the directory server may bind as the incorrect user. In any replication topology, there must be only one dbuser using the subsystem cert. To simplify things, we create a new user specifically for this purpose (pkidbuser), and we remove the seeAlso attribute from the older dbusers. A script is needed to convert existing dogtag 9 istances to use the new user, and set the relevant acls. This will be done in a separate commit.
Diffstat (limited to 'base/console')
0 files changed, 0 insertions, 0 deletions