diff options
author | Martin Babinsky <mbabinsk@redhat.com> | 2016-11-09 14:48:56 +0100 |
---|---|---|
committer | Martin Basti <mbasti@redhat.com> | 2016-11-17 00:39:17 +0100 |
commit | ce2bb47cca03eda1ff85f4725abb92c639f34ecc (patch) | |
tree | ed72bb2fc1c71cb9a5f84efdb87f27f9cdcaa208 | |
parent | 8378e1e39f44d49c2c90d2d0e7acd75a4fa95787 (diff) | |
download | freeipa-ce2bb47cca03eda1ff85f4725abb92c639f34ecc.tar.gz freeipa-ce2bb47cca03eda1ff85f4725abb92c639f34ecc.tar.xz freeipa-ce2bb47cca03eda1ff85f4725abb92c639f34ecc.zip |
Use common procedure to setup initial replication in both domain levels
Set up initial replication using GSSAPI also in domin level 0. For this to
work, the supplied DM password is used to connect to remote master and set up
agreements. The workflow is unchanged in DL1 where GSSAPI bind as host or
admin is used.
This obsoletes the conversion of replication agreements to GSSAPI made in DL0
during KDC installation.
https://fedorahosted.org/freeipa/ticket/6406
Reviewed-By: Martin Basti <mbasti@redhat.com>
-rw-r--r-- | ipaserver/install/dsinstance.py | 25 | ||||
-rw-r--r-- | ipaserver/install/krbinstance.py | 3 |
2 files changed, 20 insertions, 8 deletions
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index a604010da..f76378ea1 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -410,6 +410,16 @@ class DsInstance(service.Service): def __setup_replica(self): + """ + Setup initial replication between replica and remote master. + GSSAPI is always used as a replication bind method. Note, however, + that the bind method for the replication differs between domain levels: + * in domain level 0, Directory Manager credentials are used to bind + to remote master + * in domain level 1, GSSAPI using admin/privileged host credentials + is used (we do not have access to masters' DM password in this + stage) + """ replication.enable_replication_version_checking( self.realm, self.dm_password) @@ -421,12 +431,17 @@ class DsInstance(service.Service): repl = replication.ReplicationManager(self.realm, self.fqdn, self.dm_password, conn=conn) - if self.promote: - repl.setup_promote_replication(self.master_fqdn) + + if self.dm_password is not None and not self.promote: + bind_dn = DN(('cn', 'Directory Manager')) + bind_pw = self.dm_password else: - repl.setup_replication(self.master_fqdn, - r_binddn=DN(('cn', 'Directory Manager')), - r_bindpw=self.dm_password) + bind_dn = bind_pw = None + + repl.setup_promote_replication(self.master_fqdn, + r_binddn=bind_dn, + r_bindpw=bind_pw, + cacert=self.ca_file) self.run_init_memberof = repl.needs_memberof_fixup() def __configure_sasl_mappings(self): diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py index b7ae38f70..b5cfd79c2 100644 --- a/ipaserver/install/krbinstance.py +++ b/ipaserver/install/krbinstance.py @@ -180,9 +180,6 @@ class KrbInstance(service.Service): self.step("adding the password extension to the directory", self.__add_pwd_extop_module) if setup_pkinit: self.step("installing X509 Certificate for PKINIT", self.__setup_pkinit) - if not promote: - self.step("enable GSSAPI for replication", - self.__convert_to_gssapi_replication) self.__common_post_setup() |