Re: [Freeipa-devel] [PATCH-SET] 0044-0048 Use SASL/GSSAPI for replication agreements
On Fri, 14 Jan 2011 12:52:45 +0100 Jakub Hrozek wrote: > Ack > > Although probably after yesterday's patches I had to do a 3-way merge > on patch #47, so please check it merges OK. Rebase and pushed to master all 5 patches. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH-SET] 0044-0048 Use SASL/GSSAPI for replication agreements
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/13/2011 09:19 PM, Simo Sorce wrote: > On Thu, 13 Jan 2011 20:19:13 +0100 > Jakub Hrozek wrote: > >> I only found two issues in the winsync codepatch (which I didn't >> test): >> >> +ad_conn = ipaldap.IPAdmin(ad_dc_name, port=636, >> cacert=cacert) >> +ad_conn = do_simple_bind(binddn=ad_binddn, bindpw=ad_pwd) >> >> I think the second line should say ad_conn.do_simple_bind() >> >> and: >> >> +self.basic_replication_setup(self.conn, replica_id) >> >> basic_replication_setup() takes 4 parameters now. > > Fixed both, thanks for catching these ones! > > Attched 0044-2 patch, the others rebase on top cleanly, so I'll keep > those acks :-) > > Simo. > Ack Although probably after yesterday's patches I had to do a 3-way merge on patch #47, so please check it merges OK. Jakub -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0wOQwACgkQHsardTLnvCUxegCgui95tx8lwLxufH3SujMBewLI 9lkAoN74s6/QAw4PoASujmSLtf/yoXjw =BN95 -END PGP SIGNATURE- ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH-SET] 0044-0048 Use SASL/GSSAPI for replication agreements
On Thu, 13 Jan 2011 20:19:13 +0100 Jakub Hrozek wrote: > I only found two issues in the winsync codepatch (which I didn't > test): > > +ad_conn = ipaldap.IPAdmin(ad_dc_name, port=636, > cacert=cacert) > +ad_conn = do_simple_bind(binddn=ad_binddn, bindpw=ad_pwd) > > I think the second line should say ad_conn.do_simple_bind() > > and: > > +self.basic_replication_setup(self.conn, replica_id) > > basic_replication_setup() takes 4 parameters now. Fixed both, thanks for catching these ones! Attched 0044-2 patch, the others rebase on top cleanly, so I'll keep those acks :-) Simo. -- Simo Sorce * Red Hat, Inc * New York >From f76826ff6824520839f54dba06cc356771811aac Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Mon, 10 Jan 2011 10:57:43 -0500 Subject: [PATCH] Refactor some replication code This simplifies or rationalizes some code in order to make it easier to change it to fix bug #690 --- install/tools/ipa-replica-manage | 107 ++-- ipaserver/install/dsinstance.py | 14 ++-- ipaserver/install/replication.py | 171 +++-- 3 files changed, 137 insertions(+), 155 deletions(-) diff --git a/install/tools/ipa-replica-manage b/install/tools/ipa-replica-manage index da2c9d4a7b8e4ac15d4a993a4ebff6d649a88c2c..9d8f151070199ee8efa73a7f85553c33ada7cda2 100755 --- a/install/tools/ipa-replica-manage +++ b/install/tools/ipa-replica-manage @@ -54,18 +54,19 @@ def parse_options(): parser.add_option("-f", "--force", dest="force", action="store_true", default=False, help="ignore some types of errors") parser.add_option("--port", type="int", dest="port", + default=replication.PORT, help="port number of other server") -parser.add_option("--binddn", dest="binddn", +parser.add_option("--binddn", dest="binddn", default=None, help="Bind DN to use with remote server") -parser.add_option("--bindpw", dest="bindpw", +parser.add_option("--bindpw", dest="bindpw", default=None, help="Password for Bind DN to use with remote server") parser.add_option("--winsync", dest="winsync", action="store_true", default=False, help="This is a Windows Sync Agreement") -parser.add_option("--cacert", dest="cacert", +parser.add_option("--cacert", dest="cacert", default=None, help="Full path and filename of CA certificate to use with TLS/SSL to the remote server") -parser.add_option("--win-subtree", dest="win_subtree", +parser.add_option("--win-subtree", dest="win_subtree", default=None, help="DN of Windows subtree containing the users you want to sync (default cn=Users," sys.exit(1) -repl = replication.ReplicationManager(options.fromhost, options.dirman_passwd) -repl.suffix = get_suffix() +repl = replication.ReplicationManager(realm, options.fromhost, options.dirman_passwd) thishost = installutils.get_fqdn() @@ -360,13 +339,12 @@ def re_initialize(options): repl.initialize_replication(entry[0].dn, repl.conn) repl.wait_for_repl_init(repl.conn, entry[0].dn) -ds = dsinstance.DsInstance(realm_name = get_realm_name(), dm_password = options.dirman_passwd) +ds = dsinstance.DsInstance(realm_name = realm, dm_password = options.dirman_passwd) ds.init_memberof() -def force_sync(thishost, fromhost, dirman_passwd): +def force_sync(realm, thishost, fromhost, dirman_passwd): -repl = replication.ReplicationManager(fromhost, dirman_passwd) -repl.suffix = get_suffix() +repl = replication.ReplicationManager(realm, fromhost, dirman_passwd) filter = "(&(nsDS5ReplicaHost=%s)(|(objectclass=nsDSWindowsReplicationAgreement)(objectclass=nsds5ReplicationAgreement)))" % thishost entry = repl.conn.search_s("cn=config", ldap.SCOPE_SUBTREE, filter) @@ -381,6 +359,7 @@ def main(): options, args = parse_options() dirman_passwd = None +realm = krbV.default_context().default_realm if options.host: host = options.host @@ -392,7 +371,7 @@ def main(): if options.dirman_passwd: dirman_passwd = options.dirman_passwd else: -if not test_connection(host) or args[0] == "connect": +if not test_connection(realm, host) or args[0] == "connect": dirman_passwd = getpass.getpass("Directory Manager password: ") options.dirman_passwd = dirman_passwd @@ -401,16 +380,16 @@ def main(): replica = None if len(args) == 2: replica = args[1] -list_masters(host, replica, dirman_passwd, options.verbose) +list_masters(realm, host, replica, dirman_passwd, options.verbose) elif args[0] == "del": -del_master(args[1], options) +del_master(realm, args[1], options) elif args[0] == "re-initialize": -re_initialize(options) +re_initialize(realm, opti
Re: [Freeipa-devel] [PATCH-SET] 0044-0048 Use SASL/GSSAPI for replication agreements
On 01/12/2011 08:45 PM, Simo Sorce wrote: The exisitng code sets up replication agreements by recycling the Directory Manager password for the Replication Manager user. This causes 2 issues: - If you change the DM password newer replicas will fail to access the older masters as they will have a different passwor don their Replication Manager user. And conversely if you change this password when you set up a new replica we risk of kicking off unrelated replicas. The main issue is the use of a single user for all replication agreements. This is but #690 - Because you need to know the DM password to set up a new agreement you can't change the replication topology w/o using the Directory Manager user. (the connect command of ipa-replica-manage requires it) This is bug #644 The following patchset comprises 5 patches: - 0044 Simply refactors some code to make the following patches smaller and more readable. I only found two issues in the winsync codepatch (which I didn't test): +ad_conn = ipaldap.IPAdmin(ad_dc_name, port=636, cacert=cacert) +ad_conn = do_simple_bind(binddn=ad_binddn, bindpw=ad_pwd) I think the second line should say ad_conn.do_simple_bind() and: +self.basic_replication_setup(self.conn, replica_id) basic_replication_setup() takes 4 parameters now. - 0045 Remove unused stuff in ipa-replica-install Ack - 0046 Removes the ability to use alternative ports, we can't use non-standard ports anyway we are pretty much hardwired on std. ones all over the place. Ack - 0047 Change the replica setup so that the final replication agreement can use SASL/GSSAPI for authentication using the server own ldap service principal to log into the other replicas for replication. To resolve the chicken/egg problem of needing kerberos credentials before kerberos principals are created, the replication setup process is split in 2 phases. A first phase uses the classic Simple auth over SSL to prime the replica. Once that's done the replication agreement is changed to use SASL/GSSAPI instead and the temporary replication manager user is removed. This patch also works around a DS bug in changing agreements by using 389/TLS instead of 636/SSL for the initial replica synchronization. This fixes #690 Ack - 0048 Adds code to directly setup GSSAPI agreements between existing replicas (no chicken/egg problem here wrt kerberos) and uses it in ipa-replica-manage when a link needs to be added. This fixes #644 Ack ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel