[Freeipa-devel] [PATCH-SET] 0044-0048 Use SASL/GSSAPI for replication agreements
Jakub Hrozek
jhrozek at redhat.com
Thu Jan 13 19:19:13 UTC 2011
On 01/12/2011 08:45 PM, Simo Sorce wrote:
>
> The exisitng code sets up replication agreements by recycling the
> Directory Manager password for the Replication Manager user.
>
> This causes 2 issues:
> - If you change the DM password newer replicas will fail to access the
> older masters as they will have a different passwor don their
> Replication Manager user. And conversely if you change this password
> when you set up a new replica we risk of kicking off unrelated
> replicas.
> The main issue is the use of a single user for all replication
> agreements.
>
> This is but #690
>
> - Because you need to know the DM password to set up a new agreement
> you can't change the replication topology w/o using the Directory
> Manager user. (the connect command of ipa-replica-manage requires it)
>
> This is bug #644
>
>
> The following patchset comprises 5 patches:
>
> - 0044 Simply refactors some code to make the following patches smaller
> and more readable.
>
I only found two issues in the winsync codepatch (which I didn't test):
+ ad_conn = ipaldap.IPAdmin(ad_dc_name, port=636, cacert=cacert)
+ ad_conn = do_simple_bind(binddn=ad_binddn, bindpw=ad_pwd)
I think the second line should say ad_conn.do_simple_bind()
and:
+ self.basic_replication_setup(self.conn, replica_id)
basic_replication_setup() takes 4 parameters now.
> - 0045 Remove unused stuff in ipa-replica-install
>
Ack
> - 0046 Removes the ability to use alternative ports, we can't use
> non-standard ports anyway we are pretty much hardwired on std. ones
> all over the place.
>
Ack
> - 0047 Change the replica setup so that the final replication agreement
> can use SASL/GSSAPI for authentication using the server own ldap
> service principal to log into the other replicas for replication.
> To resolve the chicken/egg problem of needing kerberos credentials
> before kerberos principals are created, the replication setup process
> is split in 2 phases. A first phase uses the classic Simple auth over
> SSL to prime the replica. Once that's done the replication agreement
> is changed to use SASL/GSSAPI instead and the temporary replication
> manager user is removed.
> This patch also works around a DS bug in changing agreements by using
> 389/TLS instead of 636/SSL for the initial replica synchronization.
>
> This fixes #690
>
Ack
> - 0048 Adds code to directly setup GSSAPI agreements between existing
> replicas (no chicken/egg problem here wrt kerberos) and uses it in
> ipa-replica-manage when a link needs to be added.
>
> This fixes #644
>
Ack
More information about the Freeipa-devel
mailing list