On 01/12/2011 08:45 PM, Simo Sorce wrote:
The exisitng code sets up replication agreements by recycling the
Directory Manager password for the Replication Manager user.
This causes 2 issues:
- If you change the DM password newer replicas will fail to access the
older masters as they will have a different passwor don their
Replication Manager user. And conversely if you change this password
when you set up a new replica we risk of kicking off unrelated
The main issue is the use of a single user for all replication
This is but #690
- Because you need to know the DM password to set up a new agreement
you can't change the replication topology w/o using the Directory
Manager user. (the connect command of ipa-replica-manage requires it)
This is bug #644
The following patchset comprises 5 patches:
- 0044 Simply refactors some code to make the following patches smaller
and more readable.
I only found two issues in the winsync codepatch (which I didn't test):
+ ad_conn = ipaldap.IPAdmin(ad_dc_name, port=636, cacert=cacert)
+ ad_conn = do_simple_bind(binddn=ad_binddn, bindpw=ad_pwd)
I think the second line should say ad_conn.do_simple_bind()
+ self.basic_replication_setup(self.conn, replica_id)
basic_replication_setup() takes 4 parameters now.
- 0045 Remove unused stuff in ipa-replica-install
- 0046 Removes the ability to use alternative ports, we can't use
non-standard ports anyway we are pretty much hardwired on std. ones
all over the place.
- 0047 Change the replica setup so that the final replication agreement
can use SASL/GSSAPI for authentication using the server own ldap
service principal to log into the other replicas for replication.
To resolve the chicken/egg problem of needing kerberos credentials
before kerberos principals are created, the replication setup process
is split in 2 phases. A first phase uses the classic Simple auth over
SSL to prime the replica. Once that's done the replication agreement
is changed to use SASL/GSSAPI instead and the temporary replication
manager user is removed.
This patch also works around a DS bug in changing agreements by using
389/TLS instead of 636/SSL for the initial replica synchronization.
This fixes #690
- 0048 Adds code to directly setup GSSAPI agreements between existing
replicas (no chicken/egg problem here wrt kerberos) and uses it in
ipa-replica-manage when a link needs to be added.
This fixes #644
Freeipa-devel mailing list