[Freeipa-devel] [PATCH-SET] 0044-0048 Use SASL/GSSAPI for replication agreements

Jakub Hrozek jhrozek at redhat.com
Thu Jan 13 19:19:13 UTC 2011


On 01/12/2011 08:45 PM, Simo Sorce wrote:
>
> The exisitng code sets up replication agreements by recycling the
> Directory Manager password for the Replication Manager user.
>
> This causes 2 issues:
> - If you change the DM password newer replicas will fail to access the
>    older masters as they will have a different passwor don their
>    Replication Manager user. And conversely if you change this password
>    when you set up a new replica we risk of kicking off unrelated
>    replicas.
>    The main issue is the use of a single user for all replication
>    agreements.
>
>    This is but #690
>
> - Because you need to know the DM password to set up a new agreement
>    you can't change the replication topology w/o using the Directory
>    Manager user. (the connect command of ipa-replica-manage requires it)
>
>    This is bug #644
>
>
> The following patchset comprises 5 patches:
>
> - 0044 Simply refactors some code to make the following patches smaller
>    and more readable.
>

I only found two issues in the winsync codepatch (which I didn't test):

+            ad_conn = ipaldap.IPAdmin(ad_dc_name, port=636, cacert=cacert)
+            ad_conn = do_simple_bind(binddn=ad_binddn, bindpw=ad_pwd)

I think the second line should say ad_conn.do_simple_bind()

and:

+        self.basic_replication_setup(self.conn, replica_id)

basic_replication_setup() takes 4 parameters now.

> - 0045 Remove unused stuff in ipa-replica-install
>

Ack

> - 0046 Removes the ability to use alternative ports, we can't use
>    non-standard ports anyway we are pretty much hardwired on std. ones
>    all over the place.
>

Ack

> - 0047 Change the replica setup so that the final replication agreement
>    can use SASL/GSSAPI for authentication using the server own ldap
>    service principal to log into the other replicas for replication.
>    To resolve the chicken/egg problem of needing kerberos credentials
>    before kerberos principals are created, the replication setup process
>    is split in 2 phases. A first phase uses the classic Simple auth over
>    SSL to prime the replica. Once that's done the replication agreement
>    is changed to use SASL/GSSAPI instead and the temporary replication
>    manager user is removed.
>    This patch also works around a DS bug in changing agreements by using
>    389/TLS instead of 636/SSL for the initial replica synchronization.
>
>    This fixes #690
>

Ack

> - 0048 Adds code to directly setup GSSAPI agreements between existing
>    replicas (no chicken/egg problem here wrt kerberos) and uses it in
>    ipa-replica-manage when a link needs to be added.
>
>    This fixes #644
>

Ack




More information about the Freeipa-devel mailing list