Issue 6123 - Allow DNA plugin to reuse global config for bind method … #6124
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…and connection protocol
Description:
FreeIPA configures uniform authentication and access methods for DNA
plugin on all replicas: it uses SASL GSSAPI and LDAP. In order to set
those, IPA installer has to wait until its own server entry is
asynchronously created by the DNA plugin and then update the entry. This
process takes up to two minutes which is almost a half of time spent on
creating IPA server with integrated DNS and external TLS certificates
(e.g., without integrated CA).
DNA plugin's configuration entry already allows to specify remote bind
DN and remote bind password. This is handled by
dna_get_shared_servers() which pulls remote_binddn and remote_bindpw
from the global config entry unconditionally:
...
server->remote_binddn = config_entry->remote_binddn;
server->remote_bindpw = config_entry->remote_bindpw;
server->remote_bind_method = slapi_entry_attr_get_charptr(entries[i],
DNA_REMOTE_BIND_METHOD);
server->remote_conn_prot = slapi_entry_attr_get_charptr(entries[i],
DNA_REMOTE_CONN_PROT);
...
If we could add similar handling for remote_bind_method and
remote_conn_prot, with an override from the server entry, that would be
great. This way we can pre-create the configuration with the same
method/protocol values and skip waiting for the server entry to be
created from DNA plugin side.
Fixes: 389ds#6123
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
tbordaz
approved these changes
Mar 15, 2024
|
It would require to revisit RHDS doc (like dnaRemoteBindMethod). That is allowed in a shared config entry but also in plugin config entry (like dnaRemoteBindDN) |
|
@tbordaz Are you saying that it was always allowed (according to the documentation) but not implemented? I have trouble understanding your comment below:
|
|
Ah, got you: the documentation needs to be updated if this PR is merged. Yes, agreed. |
abbra
added a commit
to abbra/freeipa
that referenced
this pull request
Mar 15, 2024
With 389ds/389-ds-base#6124, DNA plugin will be able to pick up dnaRemoteBindMethod and dnaRemoteConnProtocol from the global plugin entry and apply to all server entries automatically. We do not need anymore to wait until the server configuration entry is created and update it explicitly. Related: 389ds/389-ds-base#6123 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
abbra
added a commit
to abbra/freeipa
that referenced
this pull request
Mar 15, 2024
With 389ds/389-ds-base#6124, DNA plugin will be able to pick up dnaRemoteBindMethod and dnaRemoteConnProtocol from the global plugin entry and apply to all server entries automatically. We do not need anymore to wait until the server configuration entry is created and update it explicitly. Related: 389ds/389-ds-base#6123 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
droideck
approved these changes
May 27, 2024
There was a problem hiding this comment.
Looks good! Do we wait untill freeipa/freeipa#7273 is merged?
|
No, it is the other way around: that one waits for 389-ds bit merged and released prior to merge. |
tbordaz
pushed a commit
that referenced
this pull request
May 28, 2024
…and connection protocol (#6124) Description: FreeIPA configures uniform authentication and access methods for DNA plugin on all replicas: it uses SASL GSSAPI and LDAP. In order to set those, IPA installer has to wait until its own server entry is asynchronously created by the DNA plugin and then update the entry. This process takes up to two minutes which is almost a half of time spent on creating IPA server with integrated DNS and external TLS certificates (e.g., without integrated CA). DNA plugin's configuration entry already allows to specify remote bind DN and remote bind password. This is handled by dna_get_shared_servers() which pulls remote_binddn and remote_bindpw from the global config entry unconditionally: ... server->remote_binddn = config_entry->remote_binddn; server->remote_bindpw = config_entry->remote_bindpw; server->remote_bind_method = slapi_entry_attr_get_charptr(entries[i], DNA_REMOTE_BIND_METHOD); server->remote_conn_prot = slapi_entry_attr_get_charptr(entries[i], DNA_REMOTE_CONN_PROT); ... If we could add similar handling for remote_bind_method and remote_conn_prot, with an override from the server entry, that would be great. This way we can pre-create the configuration with the same method/protocol values and skip waiting for the server entry to be created from DNA plugin side. Fixes: #6123 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
tbordaz
pushed a commit
that referenced
this pull request
May 28, 2024
…and connection protocol (#6124) Description: FreeIPA configures uniform authentication and access methods for DNA plugin on all replicas: it uses SASL GSSAPI and LDAP. In order to set those, IPA installer has to wait until its own server entry is asynchronously created by the DNA plugin and then update the entry. This process takes up to two minutes which is almost a half of time spent on creating IPA server with integrated DNS and external TLS certificates (e.g., without integrated CA). DNA plugin's configuration entry already allows to specify remote bind DN and remote bind password. This is handled by dna_get_shared_servers() which pulls remote_binddn and remote_bindpw from the global config entry unconditionally: ... server->remote_binddn = config_entry->remote_binddn; server->remote_bindpw = config_entry->remote_bindpw; server->remote_bind_method = slapi_entry_attr_get_charptr(entries[i], DNA_REMOTE_BIND_METHOD); server->remote_conn_prot = slapi_entry_attr_get_charptr(entries[i], DNA_REMOTE_CONN_PROT); ... If we could add similar handling for remote_bind_method and remote_conn_prot, with an override from the server entry, that would be great. This way we can pre-create the configuration with the same method/protocol values and skip waiting for the server entry to be created from DNA plugin side. Fixes: #6123 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
tbordaz
pushed a commit
that referenced
this pull request
May 28, 2024
…and connection protocol (#6124) Description: FreeIPA configures uniform authentication and access methods for DNA plugin on all replicas: it uses SASL GSSAPI and LDAP. In order to set those, IPA installer has to wait until its own server entry is asynchronously created by the DNA plugin and then update the entry. This process takes up to two minutes which is almost a half of time spent on creating IPA server with integrated DNS and external TLS certificates (e.g., without integrated CA). DNA plugin's configuration entry already allows to specify remote bind DN and remote bind password. This is handled by dna_get_shared_servers() which pulls remote_binddn and remote_bindpw from the global config entry unconditionally: ... server->remote_binddn = config_entry->remote_binddn; server->remote_bindpw = config_entry->remote_bindpw; server->remote_bind_method = slapi_entry_attr_get_charptr(entries[i], DNA_REMOTE_BIND_METHOD); server->remote_conn_prot = slapi_entry_attr_get_charptr(entries[i], DNA_REMOTE_CONN_PROT); ... If we could add similar handling for remote_bind_method and remote_conn_prot, with an override from the server entry, that would be great. This way we can pre-create the configuration with the same method/protocol values and skip waiting for the server entry to be created from DNA plugin side. Fixes: #6123 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
…and connection protocol
Description:
FreeIPA configures uniform authentication and access methods for DNA plugin on all replicas: it uses SASL GSSAPI and LDAP. In order to set those, IPA installer has to wait until its own server entry is asynchronously created by the DNA plugin and then update the entry. This process takes up to two minutes which is almost a half of time spent on creating IPA server with integrated DNS and external TLS certificates (e.g., without integrated CA).
DNA plugin's configuration entry already allows to specify remote bind DN and remote bind password. This is handled by
dna_get_shared_servers() which pulls remote_binddn and remote_bindpw from the global config entry unconditionally:
...
server->remote_binddn = config_entry->remote_binddn;
server->remote_bindpw = config_entry->remote_bindpw;
server->remote_bind_method = slapi_entry_attr_get_charptr(entries[i],
DNA_REMOTE_BIND_METHOD);
server->remote_conn_prot = slapi_entry_attr_get_charptr(entries[i],
DNA_REMOTE_CONN_PROT);
...
If we could add similar handling for remote_bind_method and remote_conn_prot, with an override from the server entry, that would be great. This way we can pre-create the configuration with the same method/protocol values and skip waiting for the server entry to be created from DNA plugin side.
Fixes: #6123