Bug 1029640
| Summary: | RHEL7 IPA to add DNA Plugin config for dnaRemote support | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Scott Poore <spoore> | ||||
| Component: | ipa | Assignee: | Pavel Picka <ppicka> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Namita Soman <nsoman> | ||||
| Severity: | unspecified | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | 7.0 | CC: | ksiddiqu, mbasti, ppicka, pvoborni, rcritten, vashirov | ||||
| Target Milestone: | rc | ||||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | ipa-4.4.0-0.el7.1.alpha1 | Doc Type: | Bug Fix | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2016-11-04 05:43:45 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | 1052754 | ||||||
| Bug Blocks: | 1211366 | ||||||
| Attachments: |
|
||||||
|
Description
Scott Poore
2013-11-12 19:29:25 UTC
FYI, a link to the 389 project page covering the DNA Plugin configuration: http://directory.fedoraproject.org/wiki/DNA_Remote_Server_Settings Upstream ticket: https://fedorahosted.org/freeipa/ticket/4026 To manually configure the DNA Plugin remote support, all shared DNA plugin configuration need to be updated: dn: dnaHostname=ipa.example.com+dnaPortNum=389,cn=posix-ids,cn=dna,cn=ipa,cn=etc,dc=example,dc=com dnaRemoteConnProtocol: TLS dnaRemoteBindMethod: SASL/GSSAPI dnaRemoteBindDN and dnaRemoteBindCred do not need to be configured in the DNA plugin configuration as we are authenticating via GSSAPI and thus do not need there options. Second step is to authorize the replica that is not a direct replication peer of IPA master to perform the remote DNA call. Replica LDAP service DN needs to be added to nsDS5ReplicaBindDN on the remote IPA master replica configuration (cn=replica,cn=<suffix>,cn=mapping tree,cn=config) so that the IPA master can allow the operation. In order to be able to automate this step, 389-ds-base Bug 1052754 needs to be implemented first. (In reply to Martin Kosek from comment #5) > dn: > dnaHostname=ipa.example.com+dnaPortNum=389,cn=posix-ids,cn=dna,cn=ipa,cn=etc, > dc=example,dc=com > dnaRemoteConnProtocol: TLS > dnaRemoteBindMethod: SASL/GSSAPI As Simo advised, dnaRemoteConnProtocol can be set to plain "LDAP" as with "SASL/GSSAPI" one gets the encryption for free. The ticket was postponed upstream to the next release, see the details in https://fedorahosted.org/freeipa/ticket/4026#comment:13 The RHEL work will be therefore postponed too. Sorry for the inconvenience. Fixed upstream master: https://fedorahosted.org/freeipa/changeset/6851e560dd1c9f4df98fd6b9d3063cd7dcc3bafc ipa-4-3: https://fedorahosted.org/freeipa/changeset/4531eaedfbc45bd8b1d11ebda48b92d1589ad1b3 This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune with any questions Created attachment 1202450 [details]
evidence
verified 4.4.0-12
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2404.html |