[Freeipa-devel] [PATCH-SET] 0044-0048 Use SASL/GSSAPI for replication agreements

Simo Sorce ssorce at redhat.com
Wed Jan 12 19:45:32 UTC 2011 

The exisitng code sets up replication agreements by recycling the
Directory Manager password for the Replication Manager user.

This causes 2 issues:
- If you change the DM password newer replicas will fail to access the
  older masters as they will have a different passwor don their
  Replication Manager user. And conversely if you change this password
  when you set up a new replica we risk of kicking off unrelated
  replicas.
  The main issue is the use of a single user for all replication
  agreements.

  This is but #690

- Because you need to know the DM password to set up a new agreement
  you can't change the replication topology w/o using the Directory
  Manager user. (the connect command of ipa-replica-manage requires it)

  This is bug #644


The following patchset comprises 5 patches:

- 0044 Simply refactors some code to make the following patches smaller
  and more readable.

- 0045 Remove unused stuff in ipa-replica-install

- 0046 Removes the ability to use alternative ports, we can't use
  non-standard ports anyway we are pretty much hardwired on std. ones
  all over the place.

- 0047 Change the replica setup so that the final replication agreement
  can use SASL/GSSAPI for authentication using the server own ldap
  service principal to log into the other replicas for replication.
  To resolve the chicken/egg problem of needing kerberos credentials
  before kerberos principals are created, the replication setup process
  is split in 2 phases. A first phase uses the classic Simple auth over
  SSL to prime the replica. Once that's done the replication agreement
  is changed to use SASL/GSSAPI instead and the temporary replication
  manager user is removed.
  This patch also works around a DS bug in changing agreements by using
  389/TLS instead of 636/SSL for the initial replica synchronization.

  This fixes #690

- 0048 Adds code to directly setup GSSAPI agreements between existing
  replicas (no chicken/egg problem here wrt kerberos) and uses it in
  ipa-replica-manage when a link needs to be added.

  This fixes #644

This patch set requires a full resinstall of all servers as some acis
in cn=config had to be changed.

Happy testing :)

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-simo-0044-Refactor-some-replication-code.patch
Type: text/x-patch
Size: 26876 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20110112/675ba64d/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-simo-0045-Remove-unused-random-password-in-replica-install-scr.patch
Type: text/x-patch
Size: 1066 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20110112/675ba64d/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-simo-0046-Remove-port-argument-for-ipa-replica-manage.patch
Type: text/x-patch
Size: 2036 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20110112/675ba64d/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-simo-0047-Use-GSSAPI-for-replication.patch
Type: text/x-patch
Size: 14578 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20110112/675ba64d/attachment-0003.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-simo-0048-Allow-using-Kerberos-credentials-with-the-connect-co.patch
Type: text/x-patch
Size: 1995 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20110112/675ba64d/attachment-0004.bin>

More information about the Freeipa-devel mailing list