Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Always use GSSAPI to set up initial replication #234

Closed
wants to merge 5 commits into from
Closed

Always use GSSAPI to set up initial replication #234

wants to merge 5 commits into from

Conversation

martbab
Copy link
Contributor

@martbab martbab commented Nov 11, 2016
edited by MartinBasti

This PR makes DS replica use common method to set up initial replication in both domain levels, namely GSSAPI. Since the workflow was introduced during replica promotion work, I have take a special care to make it work also against old (think ipa 3.0.0) masters that may still be in production.

https://fedorahosted.org/freeipa/ticket/6406

@MartinBasti
Copy link
Contributor 

Traceback (most recent call last):
  File "/sbin/ipa-server-install", line 23, in <module>
    from ipaserver.install import ipa_server_install
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_install.py", line 8, in <module>
    from ipaserver.install.server import ServerMasterInstall
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/__init__.py", line 31, in <module>
    from .install import validate_admin_password, validate_dm_password
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 34, in <module>
    from ipaserver.install import (
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ca.py", line 19, in <module>
    from ipaserver.install import (cainstance,
  File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 64, in <module>
    from ipaserver.install import dsinstance
  File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", line 41, in <module>
    from ipaserver.install import replication
  File "/usr/lib/python2.7/site-packages/ipaserver/install/replication.py", line 54, in <module>
    api.env.container_sysaccounts, api.env.basedn)
AttributeError: 'Env' object has no attribute 'container_sysaccounts'

Martin Babinsky added 5 commits November 11, 2016 15:18
Turn replication manager group into ReplicationManager class member
d2bedfe 
https://fedorahosted.org/freeipa/ticket/6406
replication: augment setup_promote_replication method
7802160 
the method that sets up initial GSSAPI replication in DL1 was augmented so
that the specified bind DN/bind password allows simple bind to remote master
using STARTTLS. The CA certificate for the connection is also configurable.

This facilitates the use of this method in DL0 where GSSAPI bind can not be
used during DS bootstrap while DM credentials are available.

https://fedorahosted.org/freeipa/ticket/6406
replication: refactor the code setting principals as replica bind DNs
b4d5e9e 
In addition to improving the readability of
`setup_krb_princs_as_replica_binddns` method, the re-usable bits were factored
out to separate methods

https://fedorahosted.org/freeipa/ticket/6406
ensure that the initial sync using GSSAPI works agains old masters
22e79e3 
IPA 3.x masters neither have 'cn=replication managers' sysaccount groups set,
nor do they support adding nsds5ReplicaBinddnGroup attribute to the replica
config objects.

In order for common replication mechanism to work against
them, the replica must be ready to supply the required information to the old
master.

https://fedorahosted.org/freeipa/ticket/6406
Use common procedure to setup initial replication in both domain levels
26aaf29 
Set up initial replication using GSSAPI also in domin level 0. For this to
work, the supplied DM password is used to connect to remote master and set up
agreements. The workflow is unchanged in DL1 where GSSAPI bind as host or
admin is used.

This obsoletes the conversion of replication agreements to GSSAPI made in DL0
during KDC installation.

https://fedorahosted.org/freeipa/ticket/6406
@martbab
Copy link
Contributor Author

martbab commented Nov 15, 2016

@mbasti-rh will you continue reviewing this PR or should I defer it to some other time?

@MartinBasti MartinBasti self-assigned this Nov 15, 2016
@MartinBasti
Copy link
Contributor

@martbab Working on it

@MartinBasti
Copy link
Contributor

Works for me, but because to test this against IPA 3.x is not my destiny because "issues" I cannot add ACK yet

@MartinBasti MartinBasti added the ack Pull Request approved, can be merged label Nov 16, 2016
@MartinBasti
Copy link
Contributor

Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/9d7943f3da7fb84975cc8f45047aafee13bf85dc
https://fedorahosted.org/freeipa/changeset/3dc9ab162141c7d2e4affe73f520e1599e9f8c30
https://fedorahosted.org/freeipa/changeset/cf6048a3ba9998a65858993e52bd4895749f2a79
https://fedorahosted.org/freeipa/changeset/8378e1e39f44d49c2c90d2d0e7acd75a4fa95787
https://fedorahosted.org/freeipa/changeset/ce2bb47cca03eda1ff85f4725abb92c639f34ecc

@MartinBasti MartinBasti added the pushed Pull Request has already been pushed label Nov 16, 2016
@martbab martbab deleted the replica-initial-sync-gssapi branch December 16, 2016 14:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@MartinBasti MartinBasti

Labels
ack Pull Request approved, can be merged pushed Pull Request has already been pushed
Projects
None yet
Milestone
No milestone
2 participants
@martbab @MartinBasti