[Freeipa-devel] Changing CA replication agreements after raising domain level
Petr Vobornik
pvoborni at redhat.com
Fri Jul 31 11:33:00 UTC 2015
Discussed with Ludwig, but it might be interesting to the rest of the
team(and mainly Simo)
In FreeIPA 4.3 - management of CA agmts by a replication plugin, there
is a scenario as follows:
- existing couple of replicas of version 4.2 and earlier (no topology
management)
- upgrade all to future 4.3
- raise domain level to 1
- optionally add a replica
All agmts are now managed by a topology plugin but there is an issue
with the old CA agreements because they were created with bind method:
simple. Atm. no code in IPA framework is executed after raising a domain
level. Therefore the old CA agreements are not converted to use GSSAPI.
If the segments related to the old agreements are removed and then
re-added, topology plugin creates agreements which use GSSAPI.
The old agreements are not converted automatically by a topology plugin
because simple auth is still required for ipa-replica-install (for both
realm and o=ipaca suffix).
Nor they can't be converted in IPA upgrade because domain level is
raised after the upgrade.
Question is who should convert the old amgts after raising a domain
level. IPA or topology plugin?
Some of possible solutions are:
1. Convert the CA agmts in domailevel-set method
2. Change replica installer to setup Kerberos earlier so that new
agreements could use GSSAPI and therefore topology plugin can convert
all managed agreements which don't use GSSAPI automatically.
3. Automatically convert all agmts by topo plugin. Introduce an attr in
repl agmnt which would be set during replica installation to tell the
topo plugin to not covert the agmnt while the attr is set. Then convert
in installer or when the attr is removed.
#1 is an easy workaround but it creates yet another "sort of upgrade
path" in domain level set.
#2 is more or less a replica promotion.
#3 another workaround
From long term perspective, I like #2 but I don't know what's the state
of replica promotion. Simo?
Attaching IPA patches which I use now (doesn't contain required topo
plugin patches).
--
Petr Vobornik
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-topology-manage-ca-replication-agreements.patch
Type: text/x-patch
Size: 24452 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150731/96527a7a/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-topology-plugin-configuration-workaround.patch
Type: text/x-patch
Size: 1076 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20150731/96527a7a/attachment-0001.bin>
More information about the Freeipa-devel
mailing list