[Freeipa-devel] Changing CA replication agreements after raising domain level

Petr Vobornik pvoborni at redhat.com
Fri Jul 31 11:33:00 UTC 2015 

Discussed with Ludwig, but it might be interesting to the rest of the 
team(and mainly Simo)

In FreeIPA 4.3 - management of CA agmts by a replication plugin, there 
is a scenario as follows:

- existing couple of replicas of version 4.2 and earlier (no topology 
management)
- upgrade all to future 4.3
- raise domain level to 1
- optionally add a replica

All agmts are now managed by a topology plugin but there is an issue 
with the old CA agreements because they were created with bind method: 
simple. Atm. no code in IPA framework is executed after raising a domain 
level. Therefore the old CA agreements are not converted to use GSSAPI.

If the segments related to the old agreements are removed and then 
re-added, topology plugin creates agreements which use GSSAPI.

The old agreements are not converted automatically by a topology plugin 
because simple auth is still required for ipa-replica-install (for both 
realm and o=ipaca suffix).

Nor they can't be converted in IPA upgrade because domain level is 
raised after the upgrade.

Question is who should convert the old amgts after raising a domain 
level. IPA or topology plugin?

Some of possible solutions are:

1. Convert the CA agmts in domailevel-set method
2. Change replica installer to setup Kerberos earlier so that new 
agreements could use GSSAPI and therefore topology plugin can convert 
all managed agreements which don't use GSSAPI automatically.
3. Automatically convert all agmts by topo plugin. Introduce an attr in 
repl agmnt which would be set during replica installation to tell the 
topo plugin to not covert the agmnt while the attr is set. Then convert 
in installer or when the attr is removed.

#1 is an easy workaround but it creates yet another "sort of upgrade 
path" in domain level set.
#2 is more or less a replica promotion.
#3 another workaround

 From long term perspective, I like #2 but I don't know what's the state 
of replica promotion. Simo?

Attaching IPA patches which I use now (doesn't contain required topo 
plugin patches).
-- 
Petr Vobornik
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-topology-manage-ca-replication-agreements.patch
Type: text/x-patch
Size: 24452 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150731/96527a7a/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-topology-plugin-configuration-workaround.patch
Type: text/x-patch
Size: 1076 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150731/96527a7a/attachment-0001.bin>

More information about the Freeipa-devel mailing list