<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
On 01/13/2014 03:01 PM, Dimitar Georgievski wrote:
<blockquote
cite="mid:CAHSnsob54Fd4CTL8=9qZuRvZfqv+kzxiXduck2qe3cE=qUsZjQ@mail.gmail.com"
type="cite">
<div dir="ltr"><br>
<div>I was referring to user accounts, and I believe they
require certificates. With the Primary IPA being down I was
not able to create new user entries on the replica servers. <br>
</div>
</div>
</blockquote>
<br>
Hm? What kind of error you get? What does HTTP log shows on the
replica you are performing operation against?<br>
User accounts have a certificate attribute but it is not used yet so
it might be something else not related to certificates.<br>
Answers to the questions above would help.<br>
Also here are some hints that might be helpful in collecting and
preparing information for our analysis:
<a class="moz-txt-link-freetext" href="http://www.freeipa.org/page/Troubleshooting">http://www.freeipa.org/page/Troubleshooting</a><br>
<blockquote
cite="mid:CAHSnsob54Fd4CTL8=9qZuRvZfqv+kzxiXduck2qe3cE=qUsZjQ@mail.gmail.com"
type="cite">
<div dir="ltr">
<div><br>
</div>
<div>
Hopefully the CA fail-over requirement is addressed in a new
release of FreeIPA.</div>
<div><br>
</div>
<div>Thanks,</div>
<div><br>
</div>
<div>Dimitar</div>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Mon, Jan 13, 2014 at 1:36 PM, Dmitri
Pal <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:dpal@redhat.com" target="_blank">dpal@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="HOEnZb">
<div class="h5">On 01/13/2014 01:33 PM, Rob Crittenden
wrote:<br>
> Dimitar Georgievski wrote:<br>
>> This question is really about HA of FreeIPA.
I've noticed that new<br>
>> records cannot be added on the replica server
while the primary is down.<br>
>><br>
>> Ideally these services should be always
available even when the Primary<br>
>> server is down (for maintenance or other
reasons).<br>
>><br>
>> Is it possible to have another Primary server
replicating with the first<br>
>> Primary or to use one of the Replica servers to
manage records while the<br>
>> Primary server is down.<br>
><br>
> All servers in IPA are equal masters, the only
difference may be the<br>
> services running on any given server (DNS and a
CA).<br>
><br>
> The exception is if a master runs out of DNA values
or has never been<br>
> used to add an entry that requires one and the
original IPA master is<br>
> down. An IPA server will request a DNA range the
first time it needs<br>
> one but doesn't get one until then. I'm guessing
that is what happened.<br>
><br>
> I believe IPA 3.3 added some options to
ipa-replica-manage to be able<br>
> to control the DNA configuration.<br>
<br>
<br>
</div>
</div>
We might be talking about the entries that have
certificates. Is this<br>
the case?<br>
If so the certificate operations are proxied to the server
that has full<br>
CA but AFAIR there is not failover there and I vaguely
recall that there<br>
was ticket filed to address this scenario.<br>
<br>
So which entries we are talking about?<br>
<br>
><br>
> rob<br>
><br>
> _______________________________________________<br>
> Freeipa-users mailing list<br>
> <a moz-do-not-send="true"
href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><br>
> <a moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/freeipa-users"
target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
<br>
<br>
--<br>
Thank you,<br>
Dmitri Pal<br>
<br>
Sr. Engineering Manager for IdM portfolio<br>
Red Hat Inc.<br>
<br>
<br>
-------------------------------<br>
Looking to carve out IT costs?<br>
<a moz-do-not-send="true"
href="http://www.redhat.com/carveoutcosts/"
target="_blank">www.redhat.com/carveoutcosts/</a><br>
<br>
<br>
<br>
_______________________________________________<br>
Freeipa-users mailing list<br>
<a moz-do-not-send="true"
href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><br>
<a moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/freeipa-users"
target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a>
</pre>
</body>
</html>