[Freeipa-devel] Understanding FreeIPA replica internals
Dmitri Pal
dpal at redhat.com
Fri May 23 13:28:14 UTC 2014
On 05/23/2014 06:42 AM, Martin Kosek wrote:
> On 05/23/2014 07:01 AM, James wrote:
>> I'm trying to understand some of the FreeIPA replication internals so
>> that I can better know how to do this properly in Puppet without
>> storing any secret information in Puppet, and so that automating
>> FreeIPA is awesome.
>>
>> Please point me to any docs, if there is reading I could be doing :)
>>
>> Here are some open questions I have:
>>
>> 1) Is the GPG file created with ipa-replica-prepare using a symmetric
>> password and is that password equal to the dm_password ? If not, where
>> do the pub/priv key pairs come from and how do they get transferred to
>> the replica.
> Yes. Grep for function expand_replica_info in FreeIPA git.
>
>> 2) If I have root on the IPA server (actually all of them) how can I
>> run ipa-replica-prepare without needing interactive prompting for
>> entering the password. It's not possible with puppet. Is there another
>> (possibly less user friendly even) method to "prepare" the replica?
>> What is prepare actually doing?
> For, you can for example use --password for passing the DM password.
I guess the question is more:
If I am root is there any way to do the operation without providing the
password but rather using something like LDAPI to drive the operation.
The issue is that if you use puppet there is no way to get the password
dynamically from some kind of source without baking it into the scripts.
Baking passwords into scripts is bad so to avoid it there needs to be a
way for root to install replica without it. I am not sure it is
currently possible though.
>
>
>> 3) With a multi master setup, what happens if I run the same action
>> (eg: user-mod or user-add or user-del) on more than one server.
> I would not do that, you risk replication conflicts on entries or attributes.
> More here:
>
> https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Managing_Replication-Solving_Common_Replication_Conflicts.html
>
>> Can I
>> run it on any server?
> Yes.
>
>> What if I run different user-mod commands of the
>> same user on different masters. Is there split brain?
> Then you get a replication conflict. I think in case of attributes, last
> modification wins.
>
>> Are all the
>> transactions and writes synchronous across the whole cluster?
> They are not synchronous, it takes some time for a change to replica to all
> masters.
>
>> Please
>> point me to a doc that explains this FAQ stuff if possible. Sorry for
>> the noise
> You should be able to get a reasonable starting information here:
>
> https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Deployment_Guide/Designing_the_Replication_Process.html
>
> or here:
>
> https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Managing_Replication.html
>
> HTH,
> Martin
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
More information about the Freeipa-devel
mailing list