[Freeipa-devel] Notes on server to server sasl

Simo Sorce ssorce at redhat.com
Tue Oct 21 10:17:12 UTC 2008 

On Mon, 2008-10-20 at 10:53 -0600, Rich Megginson wrote:
> Simo Sorce wrote:
> > On Fri, 2008-10-17 at 17:15 -0600, Rich Megginson wrote:
> >   
> >> I'm using the current HEAD code.  My master is F9 x86_64 and my replica 
> >> is F8 i386.  For the most part, the setup documented here 
> >> http://freeipa.org/page/InstallAndDeploy works pretty well.
> >>
> >> Setup
> >> 1) I'm not using DNS, just testing with VMs, so I had to make sure my 
> >> VMs were assigned a consistent IP address via dhcp - and edit /etc/hosts 
> >> to use the fqdn
> >> 2) I did not assign a hostname at install time, so I had to edit 
> >> /etc/sysconfig/network to assign the hostname and reboot - probably 
> >> could have done that with dhcp too (anyone know how?)
> >> 3) I had to edit the firewall settings to allow 389 and 636 tcp (and udp 
> >> for good measure) on both the master and replica
> >> 4) I added the --no-host-dns option to ipa-server-install, but I'll need 
> >> to add that to several other ipa- cmd line tools as well - I just hacked 
> >> them instead to pass in verify_fqdn(name, True)
> >>
> >> Notes
> >> 1) ipa-replica-install did not add a replication agreement from the 
> >> replica to the master, but it configured the replica as a master (for 
> >> MMR) - is this expected?
> >>     
> >
> > Yes they are all masters in freeipa-land so far.
> >   
> I did this again after fixing some problems - still no replication 
> agreement from replica->master

The script failed to create it ?

> > This will not work, you need to teach dirsrv how to do these operations
> > itself, and how to handle renewals when the TGT expires. Otherwise you
> > just get a hackish thing that works a few hours and then breaks.
> >   
> Sure.  I'll note that this is how openldap does it for server to server 
> sasl - they typically have some sort of script or daemon that renews the 
> ticket.
> 
> How else should this be done?

I think you have a couple of ways.

1. if the connections are long lived you could decide to always acquire
a new TGT before try to establish a connection.

2. if connections are frequent, you might decide to check before a
connection if credentials are still valid and renew if not.

3. You have another task running periodically that refreshes
credentials.

Simo.

More information about the Freeipa-devel mailing list