[Freeipa-devel] [PATCH-SET] 0044-0048 Use SASL/GSSAPI for replication agreements
Simo Sorce
ssorce at redhat.com
Wed Jan 12 19:45:32 UTC 2011
The exisitng code sets up replication agreements by recycling the
Directory Manager password for the Replication Manager user.
This causes 2 issues:
- If you change the DM password newer replicas will fail to access the
older masters as they will have a different passwor don their
Replication Manager user. And conversely if you change this password
when you set up a new replica we risk of kicking off unrelated
replicas.
The main issue is the use of a single user for all replication
agreements.
This is but #690
- Because you need to know the DM password to set up a new agreement
you can't change the replication topology w/o using the Directory
Manager user. (the connect command of ipa-replica-manage requires it)
This is bug #644
The following patchset comprises 5 patches:
- 0044 Simply refactors some code to make the following patches smaller
and more readable.
- 0045 Remove unused stuff in ipa-replica-install
- 0046 Removes the ability to use alternative ports, we can't use
non-standard ports anyway we are pretty much hardwired on std. ones
all over the place.
- 0047 Change the replica setup so that the final replication agreement
can use SASL/GSSAPI for authentication using the server own ldap
service principal to log into the other replicas for replication.
To resolve the chicken/egg problem of needing kerberos credentials
before kerberos principals are created, the replication setup process
is split in 2 phases. A first phase uses the classic Simple auth over
SSL to prime the replica. Once that's done the replication agreement
is changed to use SASL/GSSAPI instead and the temporary replication
manager user is removed.
This patch also works around a DS bug in changing agreements by using
389/TLS instead of 636/SSL for the initial replica synchronization.
This fixes #690
- 0048 Adds code to directly setup GSSAPI agreements between existing
replicas (no chicken/egg problem here wrt kerberos) and uses it in
ipa-replica-manage when a link needs to be added.
This fixes #644
This patch set requires a full resinstall of all servers as some acis
in cn=config had to be changed.
Happy testing :)
Simo.
--
Simo Sorce * Red Hat, Inc * New York
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-simo-0044-Refactor-some-replication-code.patch
Type: text/x-patch
Size: 26876 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20110112/675ba64d/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-simo-0045-Remove-unused-random-password-in-replica-install-scr.patch
Type: text/x-patch
Size: 1066 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20110112/675ba64d/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-simo-0046-Remove-port-argument-for-ipa-replica-manage.patch
Type: text/x-patch
Size: 2036 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20110112/675ba64d/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-simo-0047-Use-GSSAPI-for-replication.patch
Type: text/x-patch
Size: 14578 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20110112/675ba64d/attachment-0003.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-simo-0048-Allow-using-Kerberos-credentials-with-the-connect-co.patch
Type: text/x-patch
Size: 1995 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20110112/675ba64d/attachment-0004.bin>
More information about the Freeipa-devel
mailing list