For replication of kerberos keys in FreeIPA: Encrypted attributes containing secret key should be re-encrypted when they are being replicated from master server to read-only replica. On the master server the keys are encrypted by master's master key. They must be decrypted on the master first. Then they must be encrypted by a key known both to the target read-only replica and the master. The re-encryption should be done on the fly.
On IRC the following ways were mentioned:
A) provide a replication API that allows to intercept data prior to replicating them
B) extend the attribute encryption feature - make it possible to specify that certain attributes are stored encrypted by method provided by ourselves
Metadata Update from @ohamada: - Issue set to the milestone: FUTURE
Metadata Update from @mreynolds: - Custom field reviewstatus adjusted to None - Issue close_status updated to: None - Issue tagged with: RFE
Metadata Update from @mreynolds: - Issue close_status updated to: wontfix - Issue status updated to: Closed (was: Open)
389-ds-base is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in 389-ds-base's github repository.
This issue has been cloned to Github and is available here: - https://github.com/389ds/389-ds-base/issues/598
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.