[Freeipa-devel] [PATCHES 509-514] replica promotion: use host credentials when setting up replication
Oleg Fayans
ofayans at redhat.com
Wed Nov 25 20:35:38 UTC 2015
Hi,
Should I cover ticket N 3416 in the replica promotion test plan? It
should be tested, and IMO there is no sense in creating a separate test
plan for just that.
On 11/19/2015 03:43 PM, Jan Cholasta wrote:
> Hi,
>
> the attached patches fix <https://fedorahosted.org/freeipa/ticket/3416>
> and <https://fedorahosted.org/freeipa/ticket/5401>.
>
> I worked around the issue of checking if the user is privileged to
> perform replica promotion by using host credentials instead. The host
> must be a member of the IPA servers host group "ipaservers" in order to
> be able to promote itself. Using host credentials will also allow
> replica install using one-time password.
>
> User credentials are still used for connection check and to
> automatically add the host to ipaservers if the user is privileged to do
> that.
>
> Simo, is this approach OK? Could you check the new ACIs in patches 510
> and 513?
>
> I have a couple of questions:
>
> 1) Why are custodia keys for the replica added to LDAP using connection
> to the remote master instead of local ldapi connection? Is it to
> eliminate race conditions caused by replication timeout from the replica
> to the remote master?
>
> If the code was changed to use ldapi and wait until the key appears in
> custodia on the remote master, we could lose the "IPA server hosts can
> create own Custodia secrets" and "IPA server hosts can manage own
> Custodia secrets" ACIs from patch 510. Not sure if it's worth the change
> though.
>
> 2) Why is 'memberPrincipal' used in cn=custodia instead of 'member'?
>
> If 'member' was used instead, we would gain referential integrity and
> the ability to add ACIs based on the attribute (think
> userattr="member#USERDN").
>
> 3) Why is 'memberPrincipal' used in cn=custodia at all?
>
> The hostname of the replica is already in 'cn', so instead of searching
> cn=custodia for entries matching (memberPrincipal=host/$HOSTNAME), we
> could get cn={enc,sig}/$HOSTNAME,cn=custodia directly.
>
> Honza
>
>
>
--
Oleg Fayans
Quality Engineer
FreeIPA team
RedHat.
More information about the Freeipa-devel
mailing list