Overview#
The pkidbuser is an LDAP user created to replace cn=Directory Manager, it is not a PKI user, so it can be moved from ou=people, to the parent subtree . All references to it should be updated accordingly.
Since moving the user affects certificate mapping and ACL, the process should be done in multiple steps to minimize downtime.
New Instances#
On new instances the pkidbuser will be added to the correct location automatically.
Existing Instances with Separate Databases#
Adding New Users#
This should be executed once on the clone hosting the subsystem.
Add the new users into the new location in each database:
$ ldapadd -h <subsystem>.example.com -p 389 -x -D "cn=Directory Manager" -w Secret.123
dn: uid=pkidbuser,dc=<subsystem>,dc=example,dc=com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: pkidbuser
sn: pkidbuser
uid: pkidbuser
userCertificate: <DER-encoded certificate>
Configure ACLs for the new users:
$ pki-ds backend-access-grant ca uid=pkidbuser,dc=ca,dc=example,dc=com
$ pki-ds backend-access-grant kra uid=pkidbuser,dc=kra,dc=example,dc=com
$ pki-ds backend-access-grant ocsp uid=pkidbuser,dc=ocsp,dc=example,dc=com
$ pki-ds backend-access-grant tks uid=pkidbuser,dc=tks,dc=example,dc=com
$ pki-ds backend-access-grant tps uid=pkidbuser,dc=tps,dc=example,dc=com
Switch certificate mappings:
$ ldapmodify -h <subsystem>.example.com -p 389 -x -D "cn=Directory Manager" -w Secret.123
dn: uid=pkidbuser,dc=<subsystem>,dc=example,dc=com
changetype: modify
add: seeAlso
seeAlso: CN=Subsystem Certificate,O=EXAMPLE
dn: uid=pkidbuser,ou=people,dc=<subsystem>,dc=example,dc=com
changetype: modify
delete: seeAlso
Updating PKI Servers#
This should be executed one server at a time.
Stop PKI server:
$ systemctl stop pki-tomcatd@pki-tomcat.service
Remove redundant references to the old user in CS.cfg (see IPA Ticket #5298):
internaldb.ldapauth.bindDN=uid=pkidbuser,dc=<subsystem>,dc=example,dc=com
authz.instance.DirAclAuthz.ldap.ldapauth.bindDN=uid=pkidbuser,dc=<subsystem>,dc=example,dc=com
Restart PKI server:
$ systemctl start pki-tomcatd@pki-tomcat.service
Removing Old Users#
Remove ACLs for the old users:
$ pki-ds backend-access-deny ca uid=pkidbuser,ou=people,dc=ca,dc=example,dc=com
$ pki-ds backend-access-deny kra uid=pkidbuser,ou=people,dc=kra,dc=example,dc=com
$ pki-ds backend-access-deny ocsp uid=pkidbuser,ou=people,dc=ocsp,dc=example,dc=com
$ pki-ds backend-access-deny tks uid=pkidbuser,ou=people,dc=tks,dc=example,dc=com
$ pki-ds backend-access-deny tps uid=pkidbuser,ou=people,dc=tps,dc=example,dc=com
Remove the old users from the groups:
$ pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret.123 -n caadmin ca-group-user-del "Subsystem Group" pkidbuser
$ pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret.123 -n caadmin ca-group-user-del "Certificate Manager Agents" pkidbuser
$ pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret.123 -n caadmin kra-group-user-del "Data Recovery Manager Agents" pkidbuser
$ pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret.123 -n caadmin kra-group-user-del "Trusted Managers" pkidbuser
$ pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret.123 -n caadmin ocsp-group-user-del "Trusted Managers" pkidbuser
$ pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret.123 -n caadmin tks-group-user-del "Token Key Service Manager Agents" pkidbuser
Remove the old users:
$ pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret.123 -n caadmin ca-user-del pkidbuser
$ pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret.123 -n caadmin kra-user-del pkidbuser
$ pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret.123 -n caadmin ocsp-user-del pkidbuser
$ pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret.123 -n caadmin tks-user-del pkidbuser
$ pki -d ~/.dogtag/pki-tomcat/ca/alias -c Secret.123 -n caadmin tps-user-del pkidbuser