[Freeipa-devel] Understanding FreeIPA replica internals

[Martin Kosek]

On 05/23/2014 03:28 PM, Dmitri Pal wrote:
> On 05/23/2014 06:42 AM, Martin Kosek wrote:
>> On 05/23/2014 07:01 AM, James wrote:
>>> I'm trying to understand some of the FreeIPA replication internals so
>>> that I can better know how to do this properly in Puppet without
>>> storing any secret information in Puppet, and so that automating
>>> FreeIPA is awesome.
>>>
>>> Please point me to any docs, if there is reading I could be doing :)
>>>
>>> Here are some open questions I have:
>>>
>>> 1) Is the GPG file created with ipa-replica-prepare using a symmetric
>>> password and is that password equal to the dm_password ? If not, where
>>> do the pub/priv key pairs come from and how do they get transferred to
>>> the replica.
>> Yes. Grep for function expand_replica_info in FreeIPA git.
>>
>>> 2) If I have root on the IPA server (actually all of them) how can I
>>> run ipa-replica-prepare without needing interactive prompting for
>>> entering the password. It's not possible with puppet. Is there another
>>> (possibly less user friendly even) method to "prepare" the replica?
>>> What is prepare actually doing?
>> For, you can for example use --password for passing the DM password.
> 
> I guess the question is more:
> If I am root is there any way to do the operation without providing the
> password but rather using something like LDAPI to drive the operation.
> The issue is that if you use puppet there is no way to get the password
> dynamically from some kind of source without baking it into the scripts.
> Baking passwords into scripts is bad so to avoid it there needs to be a way for
> root to install replica without it. I am not sure it is currently possible though.

One cannot easily improve ipa-replica-prepare to work through LDAPI as we also
need to encypher the replica info package - and we cannot do that without clear
text DM password.

The right way seems to be rather the RFE you filed:
https://fedorahosted.org/freeipa/ticket/2888

Martin