On 01/12/2011 08:45 PM, Simo Sorce wrote:


The exisitng code sets up replication agreements by recycling the
Directory Manager password for the Replication Manager user.

This causes 2 issues:
- If you change the DM password newer replicas will fail to access the
   older masters as they will have a different passwor don their
   Replication Manager user. And conversely if you change this password
   when you set up a new replica we risk of kicking off unrelated
   replicas.
   The main issue is the use of a single user for all replication
   agreements.

   This is but #690

- Because you need to know the DM password to set up a new agreement
   you can't change the replication topology w/o using the Directory
   Manager user. (the connect command of ipa-replica-manage requires it)

   This is bug #644


The following patchset comprises 5 patches:

- 0044 Simply refactors some code to make the following patches smaller
   and more readable.


I only found two issues in the winsync codepatch (which I didn't test):

+            ad_conn = ipaldap.IPAdmin(ad_dc_name, port=636, cacert=cacert)
+            ad_conn = do_simple_bind(binddn=ad_binddn, bindpw=ad_pwd)

I think the second line should say ad_conn.do_simple_bind()

and:

+        self.basic_replication_setup(self.conn, replica_id)

basic_replication_setup() takes 4 parameters now.

- 0045 Remove unused stuff in ipa-replica-install


Ack

- 0046 Removes the ability to use alternative ports, we can't use
   non-standard ports anyway we are pretty much hardwired on std. ones
   all over the place.


Ack

- 0047 Change the replica setup so that the final replication agreement
   can use SASL/GSSAPI for authentication using the server own ldap
   service principal to log into the other replicas for replication.
   To resolve the chicken/egg problem of needing kerberos credentials
   before kerberos principals are created, the replication setup process
   is split in 2 phases. A first phase uses the classic Simple auth over
   SSL to prime the replica. Once that's done the replication agreement
   is changed to use SASL/GSSAPI instead and the temporary replication
   manager user is removed.
   This patch also works around a DS bug in changing agreements by using
   389/TLS instead of 636/SSL for the initial replica synchronization.

   This fixes #690


Ack

- 0048 Adds code to directly setup GSSAPI agreements between existing
   replicas (no chicken/egg problem here wrt kerberos) and uses it in
   ipa-replica-manage when a link needs to be added.

   This fixes #644


Ack

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to