Dmitri Pal wrote: > On 05/23/2014 06:42 AM, Martin Kosek wrote: >> On 05/23/2014 07:01 AM, James wrote: >>> I'm trying to understand some of the FreeIPA replication internals so >>> that I can better know how to do this properly in Puppet without >>> storing any secret information in Puppet, and so that automating >>> FreeIPA is awesome. >>> >>> Please point me to any docs, if there is reading I could be doing :) >>> >>> Here are some open questions I have: >>> >>> 1) Is the GPG file created with ipa-replica-prepare using a symmetric >>> password and is that password equal to the dm_password ? If not, where >>> do the pub/priv key pairs come from and how do they get transferred to >>> the replica. >> Yes. Grep for function expand_replica_info in FreeIPA git. >> >>> 2) If I have root on the IPA server (actually all of them) how can I >>> run ipa-replica-prepare without needing interactive prompting for >>> entering the password. It's not possible with puppet. Is there another >>> (possibly less user friendly even) method to "prepare" the replica? >>> What is prepare actually doing? >> For, you can for example use --password for passing the DM password. > > I guess the question is more: > If I am root is there any way to do the operation without providing the > password but rather using something like LDAPI to drive the operation. > The issue is that if you use puppet there is no way to get the password > dynamically from some kind of source without baking it into the scripts. > Baking passwords into scripts is bad so to avoid it there needs to be a > way for root to install replica without it. I am not sure it is > currently possible though.
No, there is nothing special root can do. There is no server yet that root could do anything with. We still need the DM password to do a lot of installation, so either you bake that into the replica file or it is provided at install time. There are good and bad points to both. rob _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
