[Freeipa-devel] Understanding FreeIPA replica internals

[Rob Crittenden]

Dmitri Pal wrote:
> On 05/23/2014 06:42 AM, Martin Kosek wrote:
>> On 05/23/2014 07:01 AM, James wrote:
>>> I'm trying to understand some of the FreeIPA replication internals so
>>> that I can better know how to do this properly in Puppet without
>>> storing any secret information in Puppet, and so that automating
>>> FreeIPA is awesome.
>>>
>>> Please point me to any docs, if there is reading I could be doing :)
>>>
>>> Here are some open questions I have:
>>>
>>> 1) Is the GPG file created with ipa-replica-prepare using a symmetric
>>> password and is that password equal to the dm_password ? If not, where
>>> do the pub/priv key pairs come from and how do they get transferred to
>>> the replica.
>> Yes. Grep for function expand_replica_info in FreeIPA git.
>>
>>> 2) If I have root on the IPA server (actually all of them) how can I
>>> run ipa-replica-prepare without needing interactive prompting for
>>> entering the password. It's not possible with puppet. Is there another
>>> (possibly less user friendly even) method to "prepare" the replica?
>>> What is prepare actually doing?
>> For, you can for example use --password for passing the DM password.
> 
> I guess the question is more:
> If I am root is there any way to do the operation without providing the
> password but rather using something like LDAPI to drive the operation.
> The issue is that if you use puppet there is no way to get the password
> dynamically from some kind of source without baking it into the scripts.
> Baking passwords into scripts is bad so to avoid it there needs to be a
> way for root to install replica without it. I am not sure it is
> currently possible though.

No, there is nothing special root can do. There is no server yet that
root could do anything with.

We still need the DM password to do a lot of installation, so either you
bake that into the replica file or it is provided at install time. There
are good and bad points to both.

rob