[Freeipa-devel] [PATCHES 509-514] replica promotion: use host credentials when setting up replication
Jan Cholasta
jcholast at redhat.com
Thu Nov 19 14:43:35 UTC 2015
Hi,
the attached patches fix <https://fedorahosted.org/freeipa/ticket/3416>
and <https://fedorahosted.org/freeipa/ticket/5401>.
I worked around the issue of checking if the user is privileged to
perform replica promotion by using host credentials instead. The host
must be a member of the IPA servers host group "ipaservers" in order to
be able to promote itself. Using host credentials will also allow
replica install using one-time password.
User credentials are still used for connection check and to
automatically add the host to ipaservers if the user is privileged to do
that.
Simo, is this approach OK? Could you check the new ACIs in patches 510
and 513?
I have a couple of questions:
1) Why are custodia keys for the replica added to LDAP using connection
to the remote master instead of local ldapi connection? Is it to
eliminate race conditions caused by replication timeout from the replica
to the remote master?
If the code was changed to use ldapi and wait until the key appears in
custodia on the remote master, we could lose the "IPA server hosts can
create own Custodia secrets" and "IPA server hosts can manage own
Custodia secrets" ACIs from patch 510. Not sure if it's worth the change
though.
2) Why is 'memberPrincipal' used in cn=custodia instead of 'member'?
If 'member' was used instead, we would gain referential integrity and
the ability to add ACIs based on the attribute (think
userattr="member#USERDN").
3) Why is 'memberPrincipal' used in cn=custodia at all?
The hostname of the replica is already in 'cn', so instead of searching
cn=custodia for entries matching (memberPrincipal=host/$HOSTNAME), we
could get cn={enc,sig}/$HOSTNAME,cn=custodia directly.
Honza
--
Jan Cholasta
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-509-aci-add-IPA-servers-host-group-ipaservers.patch
Type: text/x-patch
Size: 20954 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20151119/9aa3b5ab/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-510-aci-allow-members-of-ipaservers-to-set-up-replicatio.patch
Type: text/x-patch
Size: 3270 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20151119/9aa3b5ab/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-511-ipautil-use-file-in-a-temporary-dir-as-ccache-in-pri.patch
Type: text/x-patch
Size: 1314 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20151119/9aa3b5ab/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-512-replica-promotion-use-host-credentials-when-setting-.patch
Type: text/x-patch
Size: 4976 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20151119/9aa3b5ab/attachment-0003.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-513-aci-allow-hosts-to-do-replica-promotion-checks.patch
Type: text/x-patch
Size: 2747 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20151119/9aa3b5ab/attachment-0004.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-jcholast-514-replica-promotion-automatically-add-the-local-host-t.patch
Type: text/x-patch
Size: 3141 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20151119/9aa3b5ab/attachment-0005.bin>
More information about the Freeipa-devel
mailing list