diff options
| author | Ade Lee <alee@redhat.com> | 2012-09-19 12:37:41 -0400 |
|---|---|---|
| committer | Ade Lee <alee@redhat.com> | 2012-09-19 22:20:34 -0400 |
| commit | e1666df57fb49b4c2c20563559cd2a7450a6f9f4 (patch) | |
| tree | 8b372320ca55260d777c815dae104ef05ad7f240 /base/console | |
| parent | 9173b431751486018957428e67392a4a94a86baf (diff) | |
| download | pki-e1666df57fb49b4c2c20563559cd2a7450a6f9f4.tar.gz pki-e1666df57fb49b4c2c20563559cd2a7450a6f9f4.tar.xz pki-e1666df57fb49b4c2c20563559cd2a7450a6f9f4.zip | |
Changes to use standard dbuser
We create a user that can be used to connect to the database using the
subsystem cert for client auth. We identified this user, using the seeAlso
attribute and provided certmap rules to this effect.
For this user, we used to reuse the uid = user CA-hostname-port, which is already
created for inter-system communication. But this is problematic if more than one
dbuser exists, as the directory server may bind as the incorrect user. In any
replication topology, there must be only one dbuser using the subsystem cert.
To simplify things, we create a new user specifically for this purpose
(pkidbuser), and we remove the seeAlso attribute from the older dbusers.
A script is needed to convert existing dogtag 9 istances to use the new user,
and set the relevant acls. This will be done in a separate commit.
Diffstat (limited to 'base/console')
0 files changed, 0 insertions, 0 deletions