On 05/23/2014 03:28 PM, Dmitri Pal wrote: > On 05/23/2014 06:42 AM, Martin Kosek wrote: >> On 05/23/2014 07:01 AM, James wrote: >>> I'm trying to understand some of the FreeIPA replication internals so >>> that I can better know how to do this properly in Puppet without >>> storing any secret information in Puppet, and so that automating >>> FreeIPA is awesome. >>> >>> Please point me to any docs, if there is reading I could be doing :) >>> >>> Here are some open questions I have: >>> >>> 1) Is the GPG file created with ipa-replica-prepare using a symmetric >>> password and is that password equal to the dm_password ? If not, where >>> do the pub/priv key pairs come from and how do they get transferred to >>> the replica. >> Yes. Grep for function expand_replica_info in FreeIPA git. >> >>> 2) If I have root on the IPA server (actually all of them) how can I >>> run ipa-replica-prepare without needing interactive prompting for >>> entering the password. It's not possible with puppet. Is there another >>> (possibly less user friendly even) method to "prepare" the replica? >>> What is prepare actually doing? >> For, you can for example use --password for passing the DM password. > > I guess the question is more: > If I am root is there any way to do the operation without providing the > password but rather using something like LDAPI to drive the operation. > The issue is that if you use puppet there is no way to get the password > dynamically from some kind of source without baking it into the scripts. > Baking passwords into scripts is bad so to avoid it there needs to be a way > for > root to install replica without it. I am not sure it is currently possible > though.
One cannot easily improve ipa-replica-prepare to work through LDAPI as we also need to encypher the replica info package - and we cannot do that without clear text DM password. The right way seems to be rather the RFE you filed: https://fedorahosted.org/freeipa/ticket/2888 Martin _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel