[Freeipa-devel] Understanding FreeIPA replica internals

Martin Kosek mkosek at redhat.com
Fri May 23 10:42:26 UTC 2014 

On 05/23/2014 07:01 AM, James wrote:
> I'm trying to understand some of the FreeIPA replication internals so
> that I can better know how to do this properly in Puppet without
> storing any secret information in Puppet, and so that automating
> FreeIPA is awesome.
> 
> Please point me to any docs, if there is reading I could be doing :)
> 
> Here are some open questions I have:
> 
> 1) Is the GPG file created with ipa-replica-prepare using a symmetric
> password and is that password equal to the dm_password ? If not, where
> do the pub/priv key pairs come from and how do they get transferred to
> the replica.

Yes. Grep for function expand_replica_info in FreeIPA git.

> 
> 2) If I have root on the IPA server (actually all of them) how can I
> run ipa-replica-prepare without needing interactive prompting for
> entering the password. It's not possible with puppet. Is there another
> (possibly less user friendly even) method to "prepare" the replica?
> What is prepare actually doing?

For, you can for example use --password for passing the DM password.


> 3) With a multi master setup, what happens if I run the same action
> (eg: user-mod or user-add or user-del) on more than one server.

I would not do that, you risk replication conflicts on entries or attributes.
More here:

https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Managing_Replication-Solving_Common_Replication_Conflicts.html

> Can I
> run it on any server?

Yes.

> What if I run different user-mod commands of the
> same user on different masters. Is there split brain?

Then you get a replication conflict. I think in case of attributes, last
modification wins.

> Are all the
> transactions and writes synchronous across the whole cluster?

They are not synchronous, it takes some time for a change to replica to all
masters.

> Please
> point me to a doc that explains this FAQ stuff if possible. Sorry for
> the noise

You should be able to get a reasonable starting information here:

https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Deployment_Guide/Designing_the_Replication_Process.html

or here:

https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Managing_Replication.html

HTH,
Martin

More information about the Freeipa-devel mailing list