-
Notifications
You must be signed in to change notification settings - Fork 80
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
DNA plugin defaults do not include remote BIND method and remote BIND protocol #6123
Labels
Milestone
Comments
abbra
added a commit
to abbra/389-ds-base
that referenced
this issue
Mar 15, 2024
…and connection protocol Description: FreeIPA configures uniform authentication and access methods for DNA plugin on all replicas: it uses SASL GSSAPI and LDAP. In order to set those, IPA installer has to wait until its own server entry is asynchronously created by the DNA plugin and then update the entry. This process takes up to two minutes which is almost a half of time spent on creating IPA server with integrated DNS and external TLS certificates (e.g., without integrated CA). DNA plugin's configuration entry already allows to specify remote bind DN and remote bind password. This is handled by dna_get_shared_servers() which pulls remote_binddn and remote_bindpw from the global config entry unconditionally: ... server->remote_binddn = config_entry->remote_binddn; server->remote_bindpw = config_entry->remote_bindpw; server->remote_bind_method = slapi_entry_attr_get_charptr(entries[i], DNA_REMOTE_BIND_METHOD); server->remote_conn_prot = slapi_entry_attr_get_charptr(entries[i], DNA_REMOTE_CONN_PROT); ... If we could add similar handling for remote_bind_method and remote_conn_prot, with an override from the server entry, that would be great. This way we can pre-create the configuration with the same method/protocol values and skip waiting for the server entry to be created from DNA plugin side. Fixes: 389ds#6123 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
I created a proposed PR #6124 |
abbra
added a commit
to abbra/freeipa
that referenced
this issue
Mar 15, 2024
With 389ds/389-ds-base#6124, DNA plugin will be able to pick up dnaRemoteBindMethod and dnaRemoteConnProtocol from the global plugin entry and apply to all server entries automatically. We do not need anymore to wait until the server configuration entry is created and update it explicitly. Related: 389ds/389-ds-base#6123 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
abbra
added a commit
to abbra/freeipa
that referenced
this issue
Mar 15, 2024
With 389ds/389-ds-base#6124, DNA plugin will be able to pick up dnaRemoteBindMethod and dnaRemoteConnProtocol from the global plugin entry and apply to all server entries automatically. We do not need anymore to wait until the server configuration entry is created and update it explicitly. Related: 389ds/389-ds-base#6123 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
tbordaz
pushed a commit
that referenced
this issue
May 28, 2024
…and connection protocol (#6124) Description: FreeIPA configures uniform authentication and access methods for DNA plugin on all replicas: it uses SASL GSSAPI and LDAP. In order to set those, IPA installer has to wait until its own server entry is asynchronously created by the DNA plugin and then update the entry. This process takes up to two minutes which is almost a half of time spent on creating IPA server with integrated DNS and external TLS certificates (e.g., without integrated CA). DNA plugin's configuration entry already allows to specify remote bind DN and remote bind password. This is handled by dna_get_shared_servers() which pulls remote_binddn and remote_bindpw from the global config entry unconditionally: ... server->remote_binddn = config_entry->remote_binddn; server->remote_bindpw = config_entry->remote_bindpw; server->remote_bind_method = slapi_entry_attr_get_charptr(entries[i], DNA_REMOTE_BIND_METHOD); server->remote_conn_prot = slapi_entry_attr_get_charptr(entries[i], DNA_REMOTE_CONN_PROT); ... If we could add similar handling for remote_bind_method and remote_conn_prot, with an override from the server entry, that would be great. This way we can pre-create the configuration with the same method/protocol values and skip waiting for the server entry to be created from DNA plugin side. Fixes: #6123 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
tbordaz
pushed a commit
that referenced
this issue
May 28, 2024
…and connection protocol (#6124) Description: FreeIPA configures uniform authentication and access methods for DNA plugin on all replicas: it uses SASL GSSAPI and LDAP. In order to set those, IPA installer has to wait until its own server entry is asynchronously created by the DNA plugin and then update the entry. This process takes up to two minutes which is almost a half of time spent on creating IPA server with integrated DNS and external TLS certificates (e.g., without integrated CA). DNA plugin's configuration entry already allows to specify remote bind DN and remote bind password. This is handled by dna_get_shared_servers() which pulls remote_binddn and remote_bindpw from the global config entry unconditionally: ... server->remote_binddn = config_entry->remote_binddn; server->remote_bindpw = config_entry->remote_bindpw; server->remote_bind_method = slapi_entry_attr_get_charptr(entries[i], DNA_REMOTE_BIND_METHOD); server->remote_conn_prot = slapi_entry_attr_get_charptr(entries[i], DNA_REMOTE_CONN_PROT); ... If we could add similar handling for remote_bind_method and remote_conn_prot, with an override from the server entry, that would be great. This way we can pre-create the configuration with the same method/protocol values and skip waiting for the server entry to be created from DNA plugin side. Fixes: #6123 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
tbordaz
pushed a commit
that referenced
this issue
May 28, 2024
…and connection protocol (#6124) Description: FreeIPA configures uniform authentication and access methods for DNA plugin on all replicas: it uses SASL GSSAPI and LDAP. In order to set those, IPA installer has to wait until its own server entry is asynchronously created by the DNA plugin and then update the entry. This process takes up to two minutes which is almost a half of time spent on creating IPA server with integrated DNS and external TLS certificates (e.g., without integrated CA). DNA plugin's configuration entry already allows to specify remote bind DN and remote bind password. This is handled by dna_get_shared_servers() which pulls remote_binddn and remote_bindpw from the global config entry unconditionally: ... server->remote_binddn = config_entry->remote_binddn; server->remote_bindpw = config_entry->remote_bindpw; server->remote_bind_method = slapi_entry_attr_get_charptr(entries[i], DNA_REMOTE_BIND_METHOD); server->remote_conn_prot = slapi_entry_attr_get_charptr(entries[i], DNA_REMOTE_CONN_PROT); ... If we could add similar handling for remote_bind_method and remote_conn_prot, with an override from the server entry, that would be great. This way we can pre-create the configuration with the same method/protocol values and skip waiting for the server entry to be created from DNA plugin side. Fixes: #6123 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
tbordaz
pushed a commit
that referenced
this issue
May 28, 2024
…and connection protocol (#6124) Description: FreeIPA configures uniform authentication and access methods for DNA plugin on all replicas: it uses SASL GSSAPI and LDAP. In order to set those, IPA installer has to wait until its own server entry is asynchronously created by the DNA plugin and then update the entry. This process takes up to two minutes which is almost a half of time spent on creating IPA server with integrated DNS and external TLS certificates (e.g., without integrated CA). DNA plugin's configuration entry already allows to specify remote bind DN and remote bind password. This is handled by dna_get_shared_servers() which pulls remote_binddn and remote_bindpw from the global config entry unconditionally: ... server->remote_binddn = config_entry->remote_binddn; server->remote_bindpw = config_entry->remote_bindpw; server->remote_bind_method = slapi_entry_attr_get_charptr(entries[i], DNA_REMOTE_BIND_METHOD); server->remote_conn_prot = slapi_entry_attr_get_charptr(entries[i], DNA_REMOTE_CONN_PROT); ... If we could add similar handling for remote_bind_method and remote_conn_prot, with an override from the server entry, that would be great. This way we can pre-create the configuration with the same method/protocol values and skip waiting for the server entry to be created from DNA plugin side. Fixes: #6123 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
FreeIPA configures uniform authentication and access methods for DNA plugin on all replicas: it uses SASL GSSAPI and LDAP. In order to set those, IPA installer has to wait until its own server entry is asynchronously created by the DNA plugin and then update the entry. This process takes up to two minutes which is almost a half of time spent on creating IPA server with integrated DNS and external TLS certificates (e.g., without integrated CA).
DNA plugin's configuration entry already allows to specify remote bind DN and remote bind password.
This is handled by
dna_get_shared_servers()
which pullsremote_binddn
andremote_bindpw
from the global config entry unconditionally:If we could add similar handling for
remote_bind_method
andremote_conn_prot
, with an override from the server entry, that would be great. This way we can pre-create the configuration with the same method/protocol values and skip waiting for the server entry to be created from DNA plugin side.The text was updated successfully, but these errors were encountered: