subject:"Re\: \[Freeipa\-devel\] \[PATCH\-SET\] 0044\-0048 Use SASL\/GSSAPI for replication agreements"

Re: [Freeipa-devel] [PATCH-SET] 0044-0048 Use SASL/GSSAPI for replication agreements

2011-01-14 Thread Simo Sorce

On Fri, 14 Jan 2011 12:52:45 +0100
Jakub Hrozek  wrote:

> Ack
> 
> Although probably after yesterday's patches I had to do a 3-way merge
> on patch #47, so please check it merges OK.

Rebase and pushed to master all 5 patches.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH-SET] 0044-0048 Use SASL/GSSAPI for replication agreements

2011-01-14 Thread Jakub Hrozek

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 01/13/2011 09:19 PM, Simo Sorce wrote:
> On Thu, 13 Jan 2011 20:19:13 +0100
> Jakub Hrozek  wrote:
> 
>> I only found two issues in the winsync codepatch (which I didn't
>> test):
>>
>> +ad_conn = ipaldap.IPAdmin(ad_dc_name, port=636,
>> cacert=cacert)
>> +ad_conn = do_simple_bind(binddn=ad_binddn, bindpw=ad_pwd)
>>
>> I think the second line should say ad_conn.do_simple_bind()
>>
>> and:
>>
>> +self.basic_replication_setup(self.conn, replica_id)
>>
>> basic_replication_setup() takes 4 parameters now.
> 
> Fixed both, thanks for catching these ones!
> 
> Attched 0044-2 patch, the others rebase on top cleanly, so I'll keep
> those acks :-)
> 
> Simo.
> 

Ack

Although probably after yesterday's patches I had to do a 3-way merge on
patch #47, so please check it merges OK.

Jakub
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk0wOQwACgkQHsardTLnvCUxegCgui95tx8lwLxufH3SujMBewLI
9lkAoN74s6/QAw4PoASujmSLtf/yoXjw
=BN95
-END PGP SIGNATURE-

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH-SET] 0044-0048 Use SASL/GSSAPI for replication agreements

2011-01-13 Thread Simo Sorce

On Thu, 13 Jan 2011 20:19:13 +0100
Jakub Hrozek  wrote:

> I only found two issues in the winsync codepatch (which I didn't
> test):
> 
> +ad_conn = ipaldap.IPAdmin(ad_dc_name, port=636,
> cacert=cacert)
> +ad_conn = do_simple_bind(binddn=ad_binddn, bindpw=ad_pwd)
> 
> I think the second line should say ad_conn.do_simple_bind()
> 
> and:
> 
> +self.basic_replication_setup(self.conn, replica_id)
> 
> basic_replication_setup() takes 4 parameters now.

Fixed both, thanks for catching these ones!

Attched 0044-2 patch, the others rebase on top cleanly, so I'll keep
those acks :-)

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York
>From f76826ff6824520839f54dba06cc356771811aac Mon Sep 17 00:00:00 2001
From: Simo Sorce 
Date: Mon, 10 Jan 2011 10:57:43 -0500
Subject: [PATCH] Refactor some replication code

This simplifies or rationalizes some code in order to make it easier to change
it to fix bug #690
---
 install/tools/ipa-replica-manage |  107 ++--
 ipaserver/install/dsinstance.py  |   14 ++--
 ipaserver/install/replication.py |  171 +++--
 3 files changed, 137 insertions(+), 155 deletions(-)

diff --git a/install/tools/ipa-replica-manage b/install/tools/ipa-replica-manage
index da2c9d4a7b8e4ac15d4a993a4ebff6d649a88c2c..9d8f151070199ee8efa73a7f85553c33ada7cda2 100755
--- a/install/tools/ipa-replica-manage
+++ b/install/tools/ipa-replica-manage
@@ -54,18 +54,19 @@ def parse_options():
 parser.add_option("-f", "--force", dest="force", action="store_true", default=False,
   help="ignore some types of errors")
 parser.add_option("--port", type="int", dest="port",
+  default=replication.PORT,
   help="port number of other server")
-parser.add_option("--binddn", dest="binddn",
+parser.add_option("--binddn", dest="binddn", default=None,
   help="Bind DN to use with remote server")
-parser.add_option("--bindpw", dest="bindpw",
+parser.add_option("--bindpw", dest="bindpw", default=None,
   help="Password for Bind DN to use with remote server")
 parser.add_option("--winsync", dest="winsync", action="store_true", default=False,
   help="This is a Windows Sync Agreement")
-parser.add_option("--cacert", dest="cacert",
+parser.add_option("--cacert", dest="cacert", default=None,
   help="Full path and filename of CA certificate to use with TLS/SSL to the remote server")
-parser.add_option("--win-subtree", dest="win_subtree",
+parser.add_option("--win-subtree", dest="win_subtree", default=None,
   help="DN of Windows subtree containing the users you want to sync (default cn=Users,"
 sys.exit(1)
 
-repl = replication.ReplicationManager(options.fromhost, options.dirman_passwd)
-repl.suffix = get_suffix()
+repl = replication.ReplicationManager(realm, options.fromhost, options.dirman_passwd)
 
 thishost = installutils.get_fqdn()
 
@@ -360,13 +339,12 @@ def re_initialize(options):
 repl.initialize_replication(entry[0].dn, repl.conn)
 repl.wait_for_repl_init(repl.conn, entry[0].dn)
 
-ds = dsinstance.DsInstance(realm_name = get_realm_name(), dm_password = options.dirman_passwd)
+ds = dsinstance.DsInstance(realm_name = realm, dm_password = options.dirman_passwd)
 ds.init_memberof()
 
-def force_sync(thishost, fromhost, dirman_passwd):
+def force_sync(realm, thishost, fromhost, dirman_passwd):
 
-repl = replication.ReplicationManager(fromhost, dirman_passwd)
-repl.suffix = get_suffix()
+repl = replication.ReplicationManager(realm, fromhost, dirman_passwd)
 
 filter = "(&(nsDS5ReplicaHost=%s)(|(objectclass=nsDSWindowsReplicationAgreement)(objectclass=nsds5ReplicationAgreement)))" % thishost
 entry = repl.conn.search_s("cn=config", ldap.SCOPE_SUBTREE, filter)
@@ -381,6 +359,7 @@ def main():
 options, args = parse_options()
 
 dirman_passwd = None
+realm = krbV.default_context().default_realm
 
 if options.host:
 host = options.host
@@ -392,7 +371,7 @@ def main():
 if options.dirman_passwd:
 dirman_passwd = options.dirman_passwd
 else:
-if not test_connection(host) or args[0] == "connect":
+if not test_connection(realm, host) or args[0] == "connect":
 dirman_passwd = getpass.getpass("Directory Manager password: ")
 
 options.dirman_passwd = dirman_passwd
@@ -401,16 +380,16 @@ def main():
 replica = None
 if len(args) == 2:
 replica = args[1]
-list_masters(host, replica, dirman_passwd, options.verbose)
+list_masters(realm, host, replica, dirman_passwd, options.verbose)
 elif args[0] == "del":
-del_master(args[1], options)
+del_master(realm, args[1], options)
 elif args[0] == "re-initialize":
-re_initialize(options)
+re_initialize(realm, opti

Re: [Freeipa-devel] [PATCH-SET] 0044-0048 Use SASL/GSSAPI for replication agreements

2011-01-13 Thread Jakub Hrozek


On 01/12/2011 08:45 PM, Simo Sorce wrote:


The exisitng code sets up replication agreements by recycling the
Directory Manager password for the Replication Manager user.

This causes 2 issues:
- If you change the DM password newer replicas will fail to access the
   older masters as they will have a different passwor don their
   Replication Manager user. And conversely if you change this password
   when you set up a new replica we risk of kicking off unrelated
   replicas.
   The main issue is the use of a single user for all replication
   agreements.

   This is but #690

- Because you need to know the DM password to set up a new agreement
   you can't change the replication topology w/o using the Directory
   Manager user. (the connect command of ipa-replica-manage requires it)

   This is bug #644


The following patchset comprises 5 patches:

- 0044 Simply refactors some code to make the following patches smaller
   and more readable.



I only found two issues in the winsync codepatch (which I didn't test):

+ad_conn = ipaldap.IPAdmin(ad_dc_name, port=636, cacert=cacert)
+ad_conn = do_simple_bind(binddn=ad_binddn, bindpw=ad_pwd)

I think the second line should say ad_conn.do_simple_bind()

and:

+self.basic_replication_setup(self.conn, replica_id)

basic_replication_setup() takes 4 parameters now.


- 0045 Remove unused stuff in ipa-replica-install



Ack


- 0046 Removes the ability to use alternative ports, we can't use
   non-standard ports anyway we are pretty much hardwired on std. ones
   all over the place.



Ack


- 0047 Change the replica setup so that the final replication agreement
   can use SASL/GSSAPI for authentication using the server own ldap
   service principal to log into the other replicas for replication.
   To resolve the chicken/egg problem of needing kerberos credentials
   before kerberos principals are created, the replication setup process
   is split in 2 phases. A first phase uses the classic Simple auth over
   SSL to prime the replica. Once that's done the replication agreement
   is changed to use SASL/GSSAPI instead and the temporary replication
   manager user is removed.
   This patch also works around a DS bug in changing agreements by using
   389/TLS instead of 636/SSL for the initial replica synchronization.

   This fixes #690



Ack


- 0048 Adds code to directly setup GSSAPI agreements between existing
   replicas (no chicken/egg problem here wrt kerberos) and uses it in
   ipa-replica-manage when a link needs to be added.

   This fixes #644



Ack

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH-SET] 0044-0048 Use SASL/GSSAPI for replication agreements

Re: [Freeipa-devel] [PATCH-SET] 0044-0048 Use SASL/GSSAPI for replication agreements

Re: [Freeipa-devel] [PATCH-SET] 0044-0048 Use SASL/GSSAPI for replication agreements

Re: [Freeipa-devel] [PATCH-SET] 0044-0048 Use SASL/GSSAPI for replication agreements

4 matches

Site Navigation

Mail list logo

Footer information