Hi FreeIPA, *intro*
As some of you might know, I'm currently working on deploying multi-master replicas with puppet. Since it looks like there will be security implications, I wanted to start off by trying to build some confidence. I want to demonstrate that I am as paranoid about getting the security bits right as you all are. *cough* I'm looking at you Simo ;) I've just announced the first sane implementation for secret handling in puppet. Since everyone does this wrong, I thought I'd do it right, by pioneering a new technique. You can read about it here: https://ttboj.wordpress.com/2014/06/06/securely-managing-secrets-for-freeipa-with-puppet/ In short, the dm_password and admin_password never get touched by puppet, and are generated locally on the freeipa server. What this means is that puppet doesn't know what they are, and as a result, can't use them to accomplish admin tasks. *replicas* ipa-replica-prepare and ipa-replica-install work _too_ well. they're the one part of freeipa that are so easy to use by a human, but nearly impossible to use with puppet (without storing the password in puppet). puppet can't use them as is because they need you to enter a password (which i don't want it to have). Here is what I propose to do for accomplishing this. Please correct me if I've made a mistake, or recommend something different. ipa-replica-prepare seems to need the dm_password. This seems to be needed for symmetrically encrypting the bunch of files to transfer to the replica. Instead, I'll patch this process to allow use of a public key for asymetric encryption that is unique to the receiving replica. I'll make sure that each ipa server generates it's own keypair, and that the public halves are distributed to the sending hosts. I don't think there is any other need for the dm_password in ipa-replica-prepare. Did I miss something? ipa-replica-install needs the dm_password to decrypt the gpg file. Since I'm handling that with my asymmetric key pair, we don't need the password for that. mkosek was very kind in helping me dig through this part a bit, and it seems that the dm_password is needed to allow the replica to bind to the first server. I would need some help to find an alternative for this process. As was suggested, perhaps a one-time password could be generated and sent across the wire (with puppet) to the replica. Any mechanism that doesn't need the dm_password would be great. I don't think there is any other need for the dm_password in ipa-replica-install. Did I miss something? Of course if I store the dm_password in puppet, then it's easy to do this peering because it will be easy to use the password on each host. I could be done my puppet module already :) But I'm going out of my way to do it right, so that you'll all be proud of the work too! *symmetry* It would be especially elegant and beneficial to FreeIPA and the puppet module if the process of "peering" was symmetrical, that is to say, similar for any host. If I could use ipa-server-install to setup N hosts, and then run a secondary command to cause certain ones to "join" this would make the process much more natural for puppet. In addition, this would ensure that the configuration management itself is HA. Without this type of functionality, then if the first ipa server isn't available, then config management will be blocked. I would appreciate any recommendations on how to convert a previously installed ipa server into a replica. Of course it's fine that it will have it's data overwritten. Thanks again! Cheers, James _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel