enhancements to freeipa replication topology management
play

Enhancements to FreeIPA Replication Topology Management Jan - PowerPoint PPT Presentation

Dec 15, 2022 •166 likes •352 views

Enhancements to FreeIPA Replication Topology Management Jan Pazdziora Sr. Principal Software Engineer Identity Management Special Projects, Red Hat 6 th October 2015 FreeIPA Integration of multiple identity-management tools. directory

  1. Enhancements to FreeIPA Replication Topology Management Jan Pazdziora Sr. Principal Software Engineer Identity Management Special Projects, Red Hat 6 th October 2015

  2. FreeIPA ■ Integration of multiple identity-management tools. ■ directory server ■ Kerberos key distribution center ■ optionally DNS server, certification authority, vault ■ WebUI ■ command-line interface FreeIPA server Jan Pazdziora 2 / 17

  3. Identities and policies ■ Identities managed: ■ users, user groups, hosts, host groups, services, ... ■ with certificates, keytabs, ... ■ Policies: ■ ACLs in server itself; ■ host-based access control for IPA-enrolled systems. FreeIPA server Jan Pazdziora 3 / 17

  4. FreeIPA WebUI FreeIPA server Jan Pazdziora 4 / 17

  5. IPA-enrolled systems ■ SSSD (System Security Services Daemon): ■ NSS (Name Service Switch) service; ■ PAM (Pluggable Authentication Module) service; ■ plugs to other subsystems — sudo, Kerberos, ... ■ DNS records can prioritize IPA servers used: # /etc/sssd/sssd.conf [domain/example.test] ipa_server = _srv_, ipa1.example.test ... ■ KDC's IP address cached in /var/lib/sss/pubconf/ kdcinfo.* . FreeIPA clients Jan Pazdziora 5 / 17

  6. FreeIPA replication IPA realm ⇔ IPA server IPA server replication ↗ ↑ ↖ IPA-enrolled IPA-enrolled IPA-enrolled system system system ■ IPA servers get found via DNS or with their hostname hardcoded on clients. FreeIPA replication Jan Pazdziora 6 / 17

  7. FreeIPA 4.2 replication setup ■ Multi-master replication. ■ Setup of new replica: ■ Remember the Directory Manager password. ■ Create GPG-encrypted replica information file. ipa1# ipa-replica-prepare ipa2.example.com ■ Transfer the encrypted file to the replica machine. ■ Setup the replica: ipa2# ipa-replica-install \ replica-info-ipa2.example.com.gpg FreeIPA replication Jan Pazdziora 7 / 17

  8. FreeIPA 4.2 replication ■ Replica setup is a two-step process. ■ Hard to automate. ■ ipa-replica-manage tool ■ Has to connect to all replicas directly to run actions. ■ No centralized overview of CAs and their replication. FreeIPA replication Jan Pazdziora 8 / 17

  9. Upcoming FreeIPA 4.3 release Two areas of replication improvement: ■ Replica promotion. ■ Topology plugin. Upcoming FreeIPA 4.3 Jan Pazdziora 9 / 17

  10. Replica promotion ■ Promotion of any IPA-enrolled client to FreeIPA replica. ■ The ipa-replica-install tool still used. ■ GPG-encrypted file no longer needed. ■ New API on IPA servers. ■ Standard Kerberos authentication. ■ Note: keep credentials secure especially in case of automated setup. Upcoming FreeIPA 4.3 Jan Pazdziora 10 / 17

  11. Replica promotion ■ Check /etc/ipa/default.conf points to the master. [global] server = ipa1.example.test xmlrpc_uri = https://ipa1.example.test/ipa/xml ■ After replica promotion, it gets updated to point to itself. xmlrpc_uri = https://ipa2.example.test/ipa/xml ■ Domain level at least 1 (important for upgrades). ipa1# ipa domainlevel-get ----------------------- Current domain level: 1 ----------------------- Upcoming FreeIPA 4.3 Jan Pazdziora 11 / 17

  12. Topology information ■ Topology info is now replicated across all replicas. Upcoming FreeIPA 4.3 Jan Pazdziora 12 / 17

  13. Topology information ipa1# ipa topologysegment-find realm ------------------ 2 segments matched ------------------ Segment name: ipa1.example.test-to-ipa2.example.test Left node: ipa1.example.test Right node: ipa2.example.test Connectivity: both Segment name: ipa2.example.test-to-ipa3.example.test Left node: ipa2.example.test Right node: ipa3.example.test Connectivity: both ---------------------------- Number of entries returned 2 ---------------------------- Upcoming FreeIPA 4.3 Jan Pazdziora 13 / 17

  14. Topology plugin ■ Segment is added by creating it in directory server. ■ Information gets replicated to the target nodes. ■ New replication agreement is established. ■ CA and Password Vault information is included. ■ Not all nodes need to have CA and Vault installed. Upcoming FreeIPA 4.3 Jan Pazdziora 14 / 17

  15. Topology management ■ Drive topology from one place. IPA 3 ↙↗ IPA 1 ←→ IPA 2 ⇡⇣ ↖↘ IPA 4 ■ From IPA 1, segment between IPA 3 and IPA 4 can be added. ipa1# ipa topologysegment-add realm ... Upcoming FreeIPA 4.3 Jan Pazdziora 15 / 17

  16. Conclusion ■ Replica promotion — directly from IPA-enrolled client. ■ Client can be created, enrolled, and promoted without manual action on master. ■ Replication topology is now in shared data. ■ Management from one node possible. ■ Coming in FreeIPA 4.3 release. Conclusion Jan Pazdziora 16 / 17

  17. References ■ www.freeipa.org/page/V4/Replica_Promotion ■ www.freeipa.org/page/V4/Manage_replication_topology Conclusion Jan Pazdziora 17 / 17

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

FreeIPA www.freeipa.org Identity Management in the FOSS World Simo Sorce Principal Software

FreeIPA www.freeipa.org Identity Management in the FOSS World Simo Sorce Principal Software

FreeIPA www.freeipa.org Identity Management in the FOSS World Simo Sorce Principal Software Engineer Red Hat, Inc. What is FreeIPA ? Acronym: Free Identity, Policy, Audit Purpose: Make it simpler to manage a complex problem

729 views • 28 slides
FREEIPA INSTALLATION USING ANSIBLE-FREEIPA FOSDEM - 2018-02-03 Thomas Wrner Senior Software

FREEIPA INSTALLATION USING ANSIBLE-FREEIPA FOSDEM - 2018-02-03 Thomas Wrner Senior Software

FREEIPA INSTALLATION USING ANSIBLE-FREEIPA FOSDEM - 2018-02-03 Thomas Wrner Senior Software Engineer, Red Hat Inc. https://github.com/freeipa/ansible-freeipa/ AGENDA Project goals IPA installers vs. ansible-freeipa IPA client installation

406 views • 16 slides
Identity and Directories with FreeIPA Simo Sorce Sr. Principal Sw. Eng., Red Hat 2015/01/21 1

Identity and Directories with FreeIPA Simo Sorce Sr. Principal Sw. Eng., Red Hat 2015/01/21 1

Identity and Directories with FreeIPA Simo Sorce Sr. Principal Sw. Eng., Red Hat 2015/01/21 1 Simo Sorce What is FreeIPA ? FreeIPA is a Directory and Authentication Server aka a Domain Controller Primarily targets at Linux servers.

487 views • 31 slides
ALM API for Topology Management ALM API for Topology Management and Network Layer Transparent

ALM API for Topology Management ALM API for Topology Management and Network Layer Transparent

ALM API for Topology Management ALM API for Topology Management and Network Layer Transparent Multimedia Transport <draft lim irtf sam alm api 00.txt > p 71 ST IETF SAM RG MEETING, PHILADELPHIA. Lim Boon Ping

230 views • 19 slides
Handling POSIX attributes for trusted Active Directory users and groups in FreeIPA Alexander

Handling POSIX attributes for trusted Active Directory users and groups in FreeIPA Alexander

Handling POSIX attributes for trusted Active Directory users and groups in FreeIPA Alexander Bokovoy <ab@samba.org> May 21th, 2015 Samba Team / Red Hat 0 A crisis of identity (solved?) FreeIPA What is FreeIPA? Cross Forest Trusts

298 views • 29 slides
GLOBAL CATALOG SERVICE IMPLEMENTATION IN FREEIPA Alexander Bokovoy Red Hat Inc. May 4th, 2017

GLOBAL CATALOG SERVICE IMPLEMENTATION IN FREEIPA Alexander Bokovoy Red Hat Inc. May 4th, 2017

GLOBAL CATALOG SERVICE IMPLEMENTATION IN FREEIPA Alexander Bokovoy Red Hat Inc. May 4th, 2017 ABOUT:ME Sr. Principal Software Engineer at Red Hat Samba Team member since 2003 Core FreeIPA developer since 2011 2 WHAT IS THIS TALK

669 views • 30 slides
Galera Replication Synchronous Multi-Master Replication for InnoDB ...well, why not for any other

Galera Replication Synchronous Multi-Master Replication for InnoDB ...well, why not for any other

Galera Replication Synchronous Multi-Master Replication for InnoDB ...well, why not for any other DBMS as well Seppo Jaakola Alexey Yurchenko Contents 1.Galera Cluster 2.Replication API 3.Benchmarking 4.Installation & Management

1.04k views • 59 slides
Asynchronous Replication and Bayou Asynchronous Replication and Bayou Asynchronous Replication

Asynchronous Replication and Bayou Asynchronous Replication and Bayou Asynchronous Replication

Asynchronous Replication and Bayou Asynchronous Replication and Bayou Asynchronous Replication Asynchronous Replication Idea: build available/scalable information services with read-any-write-any replication and a weak consistency model. - no

738 views • 48 slides
FinChain Financial Markets Re-engineered By Steve Fernandez FinChain Topology Satellite Chains

FinChain Financial Markets Re-engineered By Steve Fernandez FinChain Topology Satellite Chains

FinChain Financial Markets Re-engineered By Steve Fernandez FinChain Topology Satellite Chains Block Chain Master Replication Nodes Block Chain Database Regulator Smart Autonomous Contracts Replication Primary dB dB [secondary]

306 views • 12 slides
Decision on interconnection process enhancements for queue management Deb Le Vine Director of

Decision on interconnection process enhancements for queue management Deb Le Vine Director of

Decision on interconnection process enhancements for queue management Deb Le Vine Director of Infrastructure Contracts & Management Board of Governors Meeting General Session September 12, 2013 The interconnection process enhancements

178 views • 6 slides
Enterprise desktop at home with FreeIPA and GNOME Alexander Bokovoy ( abokovoy@redhat.com )

Enterprise desktop at home with FreeIPA and GNOME Alexander Bokovoy ( abokovoy@redhat.com )

January 30th, 2016 FOSDEM16 Enterprise desktop at home with FreeIPA and GNOME Alexander Bokovoy ( abokovoy@redhat.com ) Enterprise desktop at home with FreeIPA and GNOME 2 Enterprise? Enterprise desktop at home with FreeIPA and GNOME 3 *

978 views • 71 slides
Todays Topics - Chapter 15 Slide 1 performance enhancement Replication Replication of

Todays Topics - Chapter 15 Slide 1 performance enhancement Replication Replication of

Distributed Systems Lecture 5 1 Replication 15.1 Group Communications 15.2 Fault Services 15.3 Todays Topics - Chapter 15 Slide 1 performance enhancement Replication Replication of read-only data is simple, but replication

726 views • 14 slides
Asynchronous Replication and Bayou Asynchronous Replication and Bayou Jeff Chase CPS 212, Fall

Asynchronous Replication and Bayou Asynchronous Replication and Bayou Jeff Chase CPS 212, Fall

Asynchronous Replication and Bayou Asynchronous Replication and Bayou Jeff Chase CPS 212, Fall 2000 Asynchronous Replication Asynchronous Replication Idea: build available/scalable information services with read-any-write-any replication and a

688 views • 48 slides
Asynchronous Replication and Bayou Asynchronous Replication and Bayou Jeff Chase CPS 212, Fall

Asynchronous Replication and Bayou Asynchronous Replication and Bayou Jeff Chase CPS 212, Fall

Asynchronous Replication and Bayou Asynchronous Replication and Bayou Jeff Chase CPS 212, Fall 2000 Asynchronous Replication Asynchronous Replication Idea: build available/scalable information services with read-any-write-any replication and a

247 views • 24 slides
FOSDEM 2019 Distributions devroom FreeIPA and cross-distribution packaging experience Alexander

FOSDEM 2019 Distributions devroom FreeIPA and cross-distribution packaging experience Alexander

FOSDEM 2019 Distributions devroom FreeIPA and cross-distribution packaging experience Alexander Bokovoy FreeIPA and cross-distribution packaging experience about:me Red Hat Sr. Principal software engineer at Red Hat Identity

792 views • 31 slides
Bio Interlude DNA Replication DNA Replication: Basics G T T A A G T T T C 5

Bio Interlude DNA Replication DNA Replication: Basics G T T A A G T T T C 5

Bio Interlude DNA Replication DNA Replication: Basics G T T A A G T T T C 5 3 G ACGAT 3 5 3 5 C A A G G T C A C A Issues & Complications, I 1st ~10 nts added are called the primer

420 views • 11 slides
Module 3: Creating and Managing Databases Overview Creating Databases Creating

Module 3: Creating and Managing Databases Overview Creating Databases Creating

Module 3: Creating and Managing Databases Overview Creating Databases Creating Filegroups Managing Databases Introduction to Data Structures Creating Databases Defining Databases How the Transaction Log Works

445 views • 18 slides
Deploy your own replication system with Wal2json PGCONF.EU 2019 Mai PENG 17/10/2019 Hello

Deploy your own replication system with Wal2json PGCONF.EU 2019 Mai PENG 17/10/2019 Hello

Deploy your own replication system with Wal2json PGCONF.EU 2019 Mai PENG 17/10/2019 Hello Mai Peng , DBA @webedia movies pro Data operations : migrations Detect bottleneck latency Find solutions for Fast Data Processing

869 views • 32 slides
Big Data Processing Technologies Chentao Wu Associate Professor Dept. of Computer Science and

Big Data Processing Technologies Chentao Wu Associate Professor Dept. of Computer Science and

Big Data Processing Technologies Chentao Wu Associate Professor Dept. of Computer Science and Engineering wuct@cs.sjtu.edu.cn Schedule lec1: Introduction on big data and cloud computing Iec2: Introduction on data storage lec3: Data

1.28k views • 99 slides
as the Basis of a High- Performance Data Store William J. Bolosky , Dexter Bradshaw, Randolph B.

as the Basis of a High- Performance Data Store William J. Bolosky , Dexter Bradshaw, Randolph B.

Paxos Replicated State Machines as the Basis of a High- Performance Data Store William J. Bolosky , Dexter Bradshaw, Randolph B. Haagens, Norbert P. Kusters and Peng Li March 30, 2011 Q: How to build a fault-tolerant, high-performance data

531 views • 27 slides
Building a Lightweight High Availability Cluster Using RepMgr Stephan M uller June 29, 2018

Building a Lightweight High Availability Cluster Using RepMgr Stephan M uller June 29, 2018

Building a Lightweight High Availability Cluster Using RepMgr Stephan M uller June 29, 2018 Schedule Introduction Postgres high availability options Write ahead log and streaming replication Built-in tools Cluster management with RepMgr

401 views • 28 slides
GoldenGate GoldenGate Outline What is GoldenGate? Architecture Architecture

GoldenGate GoldenGate Outline What is GoldenGate? Architecture Architecture

Zbigniew Baranowski GoldenGate GoldenGate Outline What is GoldenGate? Architecture Architecture Performance GoldenGate vs Streams GoldenGate vs. Streams Monitoring Summary Summary What is GoldenGate?

636 views • 29 slides
France-Asia France-Asia Virtual Organization Virtual Organization Current status Current status

France-Asia France-Asia Virtual Organization Virtual Organization Current status Current status

France-Asia France-Asia Virtual Organization Virtual Organization Current status Current status Yonny CARDENAS Yonny CARDENAS VO-Manager VO-Manager FJPPL Workshop FJPPL Workshop CC-IN2P3, Lyon, March 13, 2012 CC-IN2P3, Lyon, March 13,

407 views • 15 slides
Daily backups should be performed on the Data Center servers. NC & SC use rman

Daily backups should be performed on the Data Center servers. NC & SC use rman

CISN/RSNs are currently running Oracle 10g Release 2. Oracle 11g Release 2 is the latest Oracle version. Oracle releases Critical Patch Updates on a quarterly basis. They contain security fixes and should be installed promptly.

330 views • 8 slides

More recommend