[Freeipa-devel] Provisioning throughput
thierry bordaz
tbordaz at redhat.com
Thu May 26 11:56:57 UTC 2016
On 05/26/2016 12:23 PM, Alexander Bokovoy wrote:
> On Thu, 26 May 2016, thierry bordaz wrote:
>>>> The limitation would be to run the provisioning on IPA master.
>>>> During provisioning, membership attribute will be invalid (memberof
>>>> not computed). Is it acceptable that IPA master contains invalid
>>>> membership for some time ?
>>> Consider provisioning to be at the same level as running
>>> ipa-server-upgrade -- access via 389/636 ports is not allowed, LDAPI is
>>> the only interface enabled which implies there would be no problem
>>> if we
>>> set expectations right: provisioning mode is offline.
>>
>> Yes I agree, provisioning mode is offline.
>> My concern is about side effects on the rest of the topology if we
>> are putting IPA master offline (is password update possible on
>> replica ?).
> Sure, update on replica would be queued in replication queue. Password
> changes are local anyway, they result in updates of few password
> attributes and that's all. These attributes replicated in the same way
> as anything else.
Yes that is right.
I remember a discussion about the master key that was only available on
IPA master and I thought that IPA master had a specific role around krb
attributes. But if provisioning can be done on IPA master, it is then a
good idea to use root/ldapi to avoid getting DM password.
thanks for all your feedback and help
thierry
More information about the Freeipa-devel
mailing list