enhancements to freeipa replication topology management
play

Enhancements to FreeIPA Replication Topology Management Jan - PowerPoint PPT Presentation

Dec 15, 2022 •166 likes •352 views

Enhancements to FreeIPA Replication Topology Management Jan Pazdziora Sr. Principal Software Engineer Identity Management Special Projects, Red Hat 6 th October 2015 FreeIPA Integration of multiple identity-management tools. directory

  1. Enhancements to FreeIPA Replication Topology Management Jan Pazdziora Sr. Principal Software Engineer Identity Management Special Projects, Red Hat 6 th October 2015

  2. FreeIPA ■ Integration of multiple identity-management tools. ■ directory server ■ Kerberos key distribution center ■ optionally DNS server, certification authority, vault ■ WebUI ■ command-line interface FreeIPA server Jan Pazdziora 2 / 17

  3. Identities and policies ■ Identities managed: ■ users, user groups, hosts, host groups, services, ... ■ with certificates, keytabs, ... ■ Policies: ■ ACLs in server itself; ■ host-based access control for IPA-enrolled systems. FreeIPA server Jan Pazdziora 3 / 17

  4. FreeIPA WebUI FreeIPA server Jan Pazdziora 4 / 17

  5. IPA-enrolled systems ■ SSSD (System Security Services Daemon): ■ NSS (Name Service Switch) service; ■ PAM (Pluggable Authentication Module) service; ■ plugs to other subsystems — sudo, Kerberos, ... ■ DNS records can prioritize IPA servers used: # /etc/sssd/sssd.conf [domain/example.test] ipa_server = _srv_, ipa1.example.test ... ■ KDC's IP address cached in /var/lib/sss/pubconf/ kdcinfo.* . FreeIPA clients Jan Pazdziora 5 / 17

  6. FreeIPA replication IPA realm ⇔ IPA server IPA server replication ↗ ↑ ↖ IPA-enrolled IPA-enrolled IPA-enrolled system system system ■ IPA servers get found via DNS or with their hostname hardcoded on clients. FreeIPA replication Jan Pazdziora 6 / 17

  7. FreeIPA 4.2 replication setup ■ Multi-master replication. ■ Setup of new replica: ■ Remember the Directory Manager password. ■ Create GPG-encrypted replica information file. ipa1# ipa-replica-prepare ipa2.example.com ■ Transfer the encrypted file to the replica machine. ■ Setup the replica: ipa2# ipa-replica-install \ replica-info-ipa2.example.com.gpg FreeIPA replication Jan Pazdziora 7 / 17

  8. FreeIPA 4.2 replication ■ Replica setup is a two-step process. ■ Hard to automate. ■ ipa-replica-manage tool ■ Has to connect to all replicas directly to run actions. ■ No centralized overview of CAs and their replication. FreeIPA replication Jan Pazdziora 8 / 17

  9. Upcoming FreeIPA 4.3 release Two areas of replication improvement: ■ Replica promotion. ■ Topology plugin. Upcoming FreeIPA 4.3 Jan Pazdziora 9 / 17

  10. Replica promotion ■ Promotion of any IPA-enrolled client to FreeIPA replica. ■ The ipa-replica-install tool still used. ■ GPG-encrypted file no longer needed. ■ New API on IPA servers. ■ Standard Kerberos authentication. ■ Note: keep credentials secure especially in case of automated setup. Upcoming FreeIPA 4.3 Jan Pazdziora 10 / 17

  11. Replica promotion ■ Check /etc/ipa/default.conf points to the master. [global] server = ipa1.example.test xmlrpc_uri = https://ipa1.example.test/ipa/xml ■ After replica promotion, it gets updated to point to itself. xmlrpc_uri = https://ipa2.example.test/ipa/xml ■ Domain level at least 1 (important for upgrades). ipa1# ipa domainlevel-get ----------------------- Current domain level: 1 ----------------------- Upcoming FreeIPA 4.3 Jan Pazdziora 11 / 17

  12. Topology information ■ Topology info is now replicated across all replicas. Upcoming FreeIPA 4.3 Jan Pazdziora 12 / 17

  13. Topology information ipa1# ipa topologysegment-find realm ------------------ 2 segments matched ------------------ Segment name: ipa1.example.test-to-ipa2.example.test Left node: ipa1.example.test Right node: ipa2.example.test Connectivity: both Segment name: ipa2.example.test-to-ipa3.example.test Left node: ipa2.example.test Right node: ipa3.example.test Connectivity: both ---------------------------- Number of entries returned 2 ---------------------------- Upcoming FreeIPA 4.3 Jan Pazdziora 13 / 17

  14. Topology plugin ■ Segment is added by creating it in directory server. ■ Information gets replicated to the target nodes. ■ New replication agreement is established. ■ CA and Password Vault information is included. ■ Not all nodes need to have CA and Vault installed. Upcoming FreeIPA 4.3 Jan Pazdziora 14 / 17

  15. Topology management ■ Drive topology from one place. IPA 3 ↙↗ IPA 1 ←→ IPA 2 ⇡⇣ ↖↘ IPA 4 ■ From IPA 1, segment between IPA 3 and IPA 4 can be added. ipa1# ipa topologysegment-add realm ... Upcoming FreeIPA 4.3 Jan Pazdziora 15 / 17

  16. Conclusion ■ Replica promotion — directly from IPA-enrolled client. ■ Client can be created, enrolled, and promoted without manual action on master. ■ Replication topology is now in shared data. ■ Management from one node possible. ■ Coming in FreeIPA 4.3 release. Conclusion Jan Pazdziora 16 / 17

  17. References ■ www.freeipa.org/page/V4/Replica_Promotion ■ www.freeipa.org/page/V4/Manage_replication_topology Conclusion Jan Pazdziora 17 / 17

Recommend

FreeIPA www.freeipa.org Identity Management in the FOSS World Simo Sorce Principal Software

FreeIPA www.freeipa.org Identity Management in the FOSS World Simo Sorce Principal Software

FreeIPA www.freeipa.org Identity Management in the FOSS World Simo Sorce Principal Software Engineer Red Hat, Inc. What is FreeIPA ? Acronym: Free Identity, Policy, Audit Purpose: Make it simpler to manage a complex problem

730 views • 28 slides
FREEIPA INSTALLATION USING ANSIBLE-FREEIPA FOSDEM - 2018-02-03 Thomas Wrner Senior Software

FREEIPA INSTALLATION USING ANSIBLE-FREEIPA FOSDEM - 2018-02-03 Thomas Wrner Senior Software

FREEIPA INSTALLATION USING ANSIBLE-FREEIPA FOSDEM - 2018-02-03 Thomas Wrner Senior Software Engineer, Red Hat Inc. https://github.com/freeipa/ansible-freeipa/ AGENDA Project goals IPA installers vs. ansible-freeipa IPA client installation

406 views • 16 slides
Identity and Directories with FreeIPA Simo Sorce Sr. Principal Sw. Eng., Red Hat 2015/01/21 1

Identity and Directories with FreeIPA Simo Sorce Sr. Principal Sw. Eng., Red Hat 2015/01/21 1

Identity and Directories with FreeIPA Simo Sorce Sr. Principal Sw. Eng., Red Hat 2015/01/21 1 Simo Sorce What is FreeIPA ? FreeIPA is a Directory and Authentication Server aka a Domain Controller Primarily targets at Linux servers.

487 views • 31 slides
ALM API for Topology Management ALM API for Topology Management and Network Layer Transparent

ALM API for Topology Management ALM API for Topology Management and Network Layer Transparent

ALM API for Topology Management ALM API for Topology Management and Network Layer Transparent Multimedia Transport <draft lim irtf sam alm api 00.txt > p 71 ST IETF SAM RG MEETING, PHILADELPHIA. Lim Boon Ping

231 views • 19 slides
Handling POSIX attributes for trusted Active Directory users and groups in FreeIPA Alexander

Handling POSIX attributes for trusted Active Directory users and groups in FreeIPA Alexander

Handling POSIX attributes for trusted Active Directory users and groups in FreeIPA Alexander Bokovoy <ab@samba.org> May 21th, 2015 Samba Team / Red Hat 0 A crisis of identity (solved?) FreeIPA What is FreeIPA? Cross Forest Trusts

298 views • 29 slides
GLOBAL CATALOG SERVICE IMPLEMENTATION IN FREEIPA Alexander Bokovoy Red Hat Inc. May 4th, 2017

GLOBAL CATALOG SERVICE IMPLEMENTATION IN FREEIPA Alexander Bokovoy Red Hat Inc. May 4th, 2017

GLOBAL CATALOG SERVICE IMPLEMENTATION IN FREEIPA Alexander Bokovoy Red Hat Inc. May 4th, 2017 ABOUT:ME Sr. Principal Software Engineer at Red Hat Samba Team member since 2003 Core FreeIPA developer since 2011 2 WHAT IS THIS TALK

669 views • 30 slides
Galera Replication Synchronous Multi-Master Replication for InnoDB ...well, why not for any other

Galera Replication Synchronous Multi-Master Replication for InnoDB ...well, why not for any other

Galera Replication Synchronous Multi-Master Replication for InnoDB ...well, why not for any other DBMS as well Seppo Jaakola Alexey Yurchenko Contents 1.Galera Cluster 2.Replication API 3.Benchmarking 4.Installation & Management

1.04k views • 59 slides
Asynchronous Replication and Bayou Asynchronous Replication and Bayou Asynchronous Replication

Asynchronous Replication and Bayou Asynchronous Replication and Bayou Asynchronous Replication

Asynchronous Replication and Bayou Asynchronous Replication and Bayou Asynchronous Replication Asynchronous Replication Idea: build available/scalable information services with read-any-write-any replication and a weak consistency model. - no

738 views • 48 slides
FinChain Financial Markets Re-engineered By Steve Fernandez FinChain Topology Satellite Chains

FinChain Financial Markets Re-engineered By Steve Fernandez FinChain Topology Satellite Chains

FinChain Financial Markets Re-engineered By Steve Fernandez FinChain Topology Satellite Chains Block Chain Master Replication Nodes Block Chain Database Regulator Smart Autonomous Contracts Replication Primary dB dB [secondary]

306 views • 12 slides
Decision on interconnection process enhancements for queue management Deb Le Vine Director of

Decision on interconnection process enhancements for queue management Deb Le Vine Director of

Decision on interconnection process enhancements for queue management Deb Le Vine Director of Infrastructure Contracts & Management Board of Governors Meeting General Session September 12, 2013 The interconnection process enhancements

178 views • 6 slides
Enterprise desktop at home with FreeIPA and GNOME Alexander Bokovoy ( abokovoy@redhat.com )

Enterprise desktop at home with FreeIPA and GNOME Alexander Bokovoy ( abokovoy@redhat.com )

January 30th, 2016 FOSDEM16 Enterprise desktop at home with FreeIPA and GNOME Alexander Bokovoy ( abokovoy@redhat.com ) Enterprise desktop at home with FreeIPA and GNOME 2 Enterprise? Enterprise desktop at home with FreeIPA and GNOME 3 *

978 views • 71 slides
Todays Topics - Chapter 15 Slide 1 performance enhancement Replication Replication of

Todays Topics - Chapter 15 Slide 1 performance enhancement Replication Replication of

Distributed Systems Lecture 5 1 Replication 15.1 Group Communications 15.2 Fault Services 15.3 Todays Topics - Chapter 15 Slide 1 performance enhancement Replication Replication of read-only data is simple, but replication

726 views • 14 slides
Asynchronous Replication and Bayou Asynchronous Replication and Bayou Jeff Chase CPS 212, Fall

Asynchronous Replication and Bayou Asynchronous Replication and Bayou Jeff Chase CPS 212, Fall

Asynchronous Replication and Bayou Asynchronous Replication and Bayou Jeff Chase CPS 212, Fall 2000 Asynchronous Replication Asynchronous Replication Idea: build available/scalable information services with read-any-write-any replication and a

688 views • 48 slides
Asynchronous Replication and Bayou Asynchronous Replication and Bayou Jeff Chase CPS 212, Fall

Asynchronous Replication and Bayou Asynchronous Replication and Bayou Jeff Chase CPS 212, Fall

Asynchronous Replication and Bayou Asynchronous Replication and Bayou Jeff Chase CPS 212, Fall 2000 Asynchronous Replication Asynchronous Replication Idea: build available/scalable information services with read-any-write-any replication and a

247 views • 24 slides
FOSDEM 2019 Distributions devroom FreeIPA and cross-distribution packaging experience Alexander

FOSDEM 2019 Distributions devroom FreeIPA and cross-distribution packaging experience Alexander

FOSDEM 2019 Distributions devroom FreeIPA and cross-distribution packaging experience Alexander Bokovoy FreeIPA and cross-distribution packaging experience about:me Red Hat Sr. Principal software engineer at Red Hat Identity

793 views • 31 slides
Bio Interlude DNA Replication DNA Replication: Basics G T T A A G T T T C 5

Bio Interlude DNA Replication DNA Replication: Basics G T T A A G T T T C 5

Bio Interlude DNA Replication DNA Replication: Basics G T T A A G T T T C 5 3 G ACGAT 3 5 3 5 C A A G G T C A C A Issues & Complications, I 1st ~10 nts added are called the primer

420 views • 11 slides
New features in MySQL Replication Lars Thalmann, Development Manager, Replication & Backup

New features in MySQL Replication Lars Thalmann, Development Manager, Replication & Backup

<Insert Picture Here> New features in MySQL Replication Lars Thalmann, Development Manager, Replication & Backup Mats Kindahl, Lead Developer, Replication & Plugins MySQL User Conference 2010 Topics Replication features in

461 views • 34 slides
Enterprise desktop: improving client side in the age of Samba AD and FreeIPA Alexander Bokovoy

Enterprise desktop: improving client side in the age of Samba AD and FreeIPA Alexander Bokovoy

Principal Software Engineer, Red Hat // Samba Team SambaXP16 Enterprise desktop: improving client side in the age of Samba AD and FreeIPA Alexander Bokovoy Enterprise desktop: improving client side in the age of Samba AD and FreeIPA 2

1.33k views • 106 slides
MySQL Replication Tutorial Mats Kindahl Senior Software Engineer Replication Technology Lars

MySQL Replication Tutorial Mats Kindahl Senior Software Engineer Replication Technology Lars

MySQL Replication Tutorial Mats Kindahl Senior Software Engineer Replication Technology Lars Thalmann Development Manager Replication/Backup Tutorial Outline Terminology and Basic Concepts Basic Replication Replication for

1.46k views • 125 slides
August 23, 2012 Data Replication/ETL: Terms Data Replication : Data Replication is the process of

August 23, 2012 Data Replication/ETL: Terms Data Replication : Data Replication is the process of

State of Connecticut Criminal Justice Information System Connecticut Information Sharing System (CISS) Technology Workshop 1: Data Replication/ETL August 23, 2012 Data Replication/ETL: Terms Data Replication : Data Replication is the process of

535 views • 24 slides
Reasons for Replication Two primary reasons for replication: reliability and performance .

Reasons for Replication Two primary reasons for replication: reliability and performance .

An Introduction to the high- availability and high-consistency problem Ignacio Laguna, Fahad Arshad Dependable Computing Systems Laboratory Purdue University Aug 29, 2007 Reasons for Replication Two primary reasons for replication:

257 views • 8 slides
1 Issues and Techniques for Weak Replication Bayou Basics Issues and Techniques for Weak

1 Issues and Techniques for Weak Replication Bayou Basics Issues and Techniques for Weak

Asynchronous Replication Asynchronous Replication Idea: build available/scalable information services with read-any-write-any replication and a weak consistency model. - no denial of service during transient network partitions - supports massive

319 views • 8 slides
Replication and Migration Background, Requirements and Strawman Migration and Replication

Replication and Migration Background, Requirements and Strawman Migration and Replication

Replication and Migration Background, Requirements and Strawman Migration and Replication The point is: Increased availability Through replication of shared read-only data Less NFS Server not responding The point is:

265 views • 25 slides
WHAT DO WE KNOW ABOUT THE TOPOLOGY? WHAT DO WE KNOW ABOUT THE TOPOLOGY? Number of nodes and

WHAT DO WE KNOW ABOUT THE TOPOLOGY? WHAT DO WE KNOW ABOUT THE TOPOLOGY? Number of nodes and

TxProbe: Discovering Bitcoins Network Topology Using Orphan Transactions Sergi Delgado-Segura , Surya Bakshi, Cristina Prez-Sol, James Litton, Andrew Pachulski, Andrew Miller and Bobby Bhattacharjee sr_gi WHAT DO WE KNOW ABOUT THE TOPOLOGY?

1.84k views • 162 slides

More recommend