On Mon, 2015-08-03 at 18:43 -0400, Simo Sorce wrote: > Hello freeipa-devel, > > this patcheset implement the main piece of the replica promotion > feature. > > It first introduces the custodia modules, custodia is a service that > allows to securely transfer secrets between FreeIPA instances, using > asymetric crypto and LDAP published keys to insure confidentiality. > > These patches intentionally duplicate some code in the installer in > order to avoid regression in the "classic" installer code path, in the > hope that the promotion functionality will not unintentionally break the > classic prepare/install code paths. > > To use test this patchset you need the jwcrypto and custodia python > packages. Jwcrypto ins in fedora rawhide already (built today for f22 > too) and Custodia is under review. I prepared two copr repositories for > now so people can build. > Use dnf copr enable simo/jwcrypto and dnf copr enable simo/custodia on > your devel VMs to get the proper packages (dnf install custodia will > suffice to drag in all dependencies). > > To test do NOT follow the usual path of creating a replica file on the > master server with the ipa-replica-prepare tool. > Instead prepare a machine and run: > ipa-client-install > ipa-replica-install --promote > > That should be it. > > You can optionally test the --setup-dns install option, but --setup-ca > and --seyup-kra do not work yet. > > If you kinit admin right after the client install, you'll be asked no > passwords. > > Note that you need to raise the domain level to 1 before you can use the > replica promotion code as it is intended to be used with the topology > plugin activated. > > This patchset depends on the previous one sent last week. > > Cheers, > Simo. >
FYI I am withdrawing this patchset. I have worked with Ludwig and Petr and greatly improved and fixes this original patchset and changed it considerably in the process, we'll soon propose a new patchset instead. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
