On 01/12/2011 08:45 PM, Simo Sorce wrote:

The exisitng code sets up replication agreements by recycling the
Directory Manager password for the Replication Manager user.

This causes 2 issues:
- If you change the DM password newer replicas will fail to access the
   older masters as they will have a different passwor don their
   Replication Manager user. And conversely if you change this password
   when you set up a new replica we risk of kicking off unrelated
   The main issue is the use of a single user for all replication

   This is but #690

- Because you need to know the DM password to set up a new agreement
   you can't change the replication topology w/o using the Directory
   Manager user. (the connect command of ipa-replica-manage requires it)

   This is bug #644

The following patchset comprises 5 patches:

- 0044 Simply refactors some code to make the following patches smaller
   and more readable.

I only found two issues in the winsync codepatch (which I didn't test):

+            ad_conn = ipaldap.IPAdmin(ad_dc_name, port=636, cacert=cacert)
+            ad_conn = do_simple_bind(binddn=ad_binddn, bindpw=ad_pwd)

I think the second line should say ad_conn.do_simple_bind()


+        self.basic_replication_setup(self.conn, replica_id)

basic_replication_setup() takes 4 parameters now.

- 0045 Remove unused stuff in ipa-replica-install


- 0046 Removes the ability to use alternative ports, we can't use
   non-standard ports anyway we are pretty much hardwired on std. ones
   all over the place.


- 0047 Change the replica setup so that the final replication agreement
   can use SASL/GSSAPI for authentication using the server own ldap
   service principal to log into the other replicas for replication.
   To resolve the chicken/egg problem of needing kerberos credentials
   before kerberos principals are created, the replication setup process
   is split in 2 phases. A first phase uses the classic Simple auth over
   SSL to prime the replica. Once that's done the replication agreement
   is changed to use SASL/GSSAPI instead and the temporary replication
   manager user is removed.
   This patch also works around a DS bug in changing agreements by using
   389/TLS instead of 636/SSL for the initial replica synchronization.

   This fixes #690


- 0048 Adds code to directly setup GSSAPI agreements between existing
   replicas (no chicken/egg problem here wrt kerberos) and uses it in
   ipa-replica-manage when a link needs to be added.

   This fixes #644


Freeipa-devel mailing list

Reply via email to