On Mon, 2015-08-03 at 18:43 -0400, Simo Sorce wrote:
> Hello freeipa-devel,
> this patcheset implement the main piece of the replica promotion
> feature.
> It first introduces the custodia modules, custodia is a service that
> allows to securely transfer secrets between FreeIPA instances, using
> asymetric crypto and LDAP published keys to insure confidentiality.
> These patches intentionally duplicate some code in the installer in
> order to avoid regression in the "classic" installer code path, in the
> hope that the promotion functionality will not unintentionally break the
> classic prepare/install code paths.
> To use test this patchset you need the jwcrypto and custodia python
> packages. Jwcrypto ins in fedora rawhide already (built today for f22
> too) and Custodia is under review. I prepared two copr repositories for
> now so people can build.
> Use dnf copr enable simo/jwcrypto and dnf copr enable simo/custodia on
> your devel VMs to get the proper packages (dnf install custodia will
> suffice to drag in all dependencies).
> To test do NOT follow the usual path of creating a replica file on the
> master server with the ipa-replica-prepare tool.
> Instead prepare a machine and run:
> ipa-client-install
> ipa-replica-install --promote
> That should be it.
> You can optionally test the --setup-dns install option, but --setup-ca
> and --seyup-kra do not work yet.
> If you kinit admin right after the client install, you'll be asked no
> passwords.
> Note that you need to raise the domain level to 1 before you can use the
> replica promotion code as it is intended to be used with the topology
> plugin activated.
> This patchset depends on the previous one sent last week.
> Cheers,
> Simo.

FYI I am withdrawing this patchset. I have worked with Ludwig and Petr
and greatly improved and fixes this original patchset and changed it
considerably in the process, we'll soon propose a new patchset instead.


Simo Sorce * Red Hat, Inc * New York

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to