When a replica is installed, a new set of Custodia keys are create locally. The public keys are uploaded to the local 389-DS instance. Then Custodia waits until it sees the keys on its replication peer. For busy systems, replication can talk a while. In worst case, the installer runs into a timeout.
Further more, the installer creates multiple instances of the Custodia client object. In the replica promotion case with CA setup, some parts talk to a Custodia instance on replica master, other instances to Custodia instance on the CA replica master. Replica and CA replica can be different hosts.
Installers now pass a single CustodiaInstance object around, instead of creating new instances on demand. In case of replica promotion with CA, the instance gets all secrets from a master with CA present. Before, an installer created multiple instances and may have requested CA key material from a different machine than DM password hash.
In case of Domain Level 1 and replica promotion, the CustodiaInstance no longer adds the keys to the local instance and waits for replication to other replica. Instead the installer directly uploads the new public keys to the remote 389-DS instance.
Without promotion, new Custodia public keys are still added to local 389-DS over LDAPI.
Metadata Update from @cheimes: - Issue assigned to cheimes
Metadata Update from @cheimes: - Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/1860
Metadata Update from @pvoborni: - Issue set to the milestone: FreeIPA 4.5.5 (was: FreeIPA 4.5)
master:
ipa-4-6:
ipa-4-5:
Metadata Update from @cheimes: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Metadata Update from @pvoborni: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1577108
Issue linked to bug 1577108
Login to comment on this ticket.